Yield-Convex contest - 0x1f8b's results

Fixed-rate borrowing and lending on Ethereum

General Information

Platform: Code4rena

Start Date: 28/01/2022

Pot Size: $30,000 USDC

Total HM: 4

Participants: 22

Period: 3 days

Judge: GalloDaSballo

Total Solo HM: 2

Id: 80

League: ETH

Yield

Findings Distribution

Researcher Performance

Rank: 15/22

Findings: 3

Award: $82.01

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Yield

Findings Information

🌟 Selected for report: throttle

Also found by: 0x1f8b, TomFrenchBlockchain, WatchPug, cccz, defsec, hack3r-0m, hyh, kenzo, leastwood, sirhashalot, ye0lde

Labels

bug

duplicate

2 (Med Risk)

Awards

69.1238 USDC - $69.12

External Links

Link to GitHub issue

Handle

0x1f8b

Vulnerability details

Impact

Unsafe oracle call.

Proof of Concept

The contract Cvx3CrvOracle doesn't check that the data is fress, it call the method latestRoundData, this method allow you to run some extra validations, but these validations were not made.

According to the chain.link documentation:

You can check answeredInRound against the current roundId. If answeredInRound is less than roundId, the answer is being carried over. If answeredInRound is equal to roundId, then the answer is fresh.

So it's required to check something like this:

        (roundId, daiPrice, , updateTime, answeredInRound ) = DAI.latestRoundData();
        require(daiPrice > 0, "Chainlink price <= 0");
        require(updateTime != 0, "Incomplete round");
        require(answeredInRound >= roundId, "Stale price");

Reference:

Tools Used

Manual review.

Recommended Mitigation Steps

Apply the mentioned changes.

#0 - devtooligan
2022-02-01T02:16:05Z

dup of #2

#1 - GalloDaSballo
2022-02-14T23:42:16Z

Duplicate of #136

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Auditors

Browse

Contests

Browse

Get in touch

Contact Twitter

Findings Information

🌟 Selected for report: robee

Also found by: 0x1f8b, Dravee, Funen, IllIllI, defsec, throttle

Labels

bug

duplicate

G (Gas Optimization)

Awards

7.2132 USDC - $7.21

External Links

Link to GitHub issue

Handle

0x1f8b

Vulnerability details

Impact

Gas saving.

Proof of Concept

Without changing too much it's possible to save gas, in the for loops the i variable is increased using i++, it will use less opcodes if use ++i.

Affected places:

ConvexStakingWrapper: 115, 271, 287, 315
ConvexYieldWrapper:63, 80, 111

Tools Used

Manual review.

Recommended Mitigation Steps

Change i++ to ++i

#0 - alcueca
2022-02-02T16:11:04Z

Duplicate of #14

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: Funen, IllIllI, TomFrenchBlockchain, Tomio, WatchPug, defsec, throttle

Labels

bug

G (Gas Optimization)

sponsor disputed

Awards

5.6804 USDC - $5.68

External Links

Link to GitHub issue

Handle

0x1f8b

Vulnerability details

Impact

Gas saving.

Proof of Concept

It's possible to avoid storage access a save gas using immutable keyword for the following variables:

ConvexStakingWrapper:

curveToken
convexToken
convexPool
convexPoolId
collateralVault

ConvexYieldWrapper:

cauldron

Tools Used

Gas saving

Recommended Mitigation Steps

Use immutable.

#0 - devtooligan
2022-02-01T02:25:15Z

Immutable variables cannot be read during contract creation time. Making the suggested variables immutable would lead to https://github.com/code-423n4/2022-01-yield/blob/e946f40239b33812e54fafc700eb2298df1a2579/contracts/ConvexStakingWrapper.sol#L77-L78 to fail.

#1 - GalloDaSballo
2022-02-11T02:44:45Z

While you can't read immutable variables at creation time, you can use the input from the constructor _curveToken instead of the "storage / immutable" curveToken

Inlining the approvals and using the constructor parameters would solve and save the gas.

I don't mind a nofix from the developer, (although believe there's gas to be saved) but I think the finding is valid

#2 - devtooligan
2022-02-11T02:57:17Z

@GalloDaSballo Good point. Let me talk to the team

Yield-Convex contest - 0x1f8b's results

Fixed-rate borrowing and lending on Ethereum

General Information

Findings Distribution

Researcher Performance

External Links

[M-01] Oracle prices could be not fresh - $69.12

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - devtooligan2022-02-01T02:16:05Z

#1 - GalloDaSballo2022-02-14T23:42:16Z

Gas Report - $12.89

Gas Report - $12.89

[G-10] Gas saving using ++i - $7.21

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - alcueca2022-02-02T16:11:04Z

🌟 [G-04] Gas saving using immutable - $5.68

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - devtooligan2022-02-01T02:25:15Z

#1 - GalloDaSballo2022-02-11T02:44:45Z

#2 - devtooligan2022-02-11T02:57:17Z

#0 - devtooligan
2022-02-01T02:16:05Z

#1 - GalloDaSballo
2022-02-14T23:42:16Z

#0 - alcueca
2022-02-02T16:11:04Z

#0 - devtooligan
2022-02-01T02:25:15Z

#1 - GalloDaSballo
2022-02-11T02:44:45Z

#2 - devtooligan
2022-02-11T02:57:17Z