Platform: Code4rena
Start Date: 04/02/2022
Pot Size: $30,000 USDC
Total HM: 3
Participants: 37
Period: 3 days
Judge: leastwood
Id: 84
League: ETH
Rank: 10/37
Findings: 3
Award: $1,264.34
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-02-badger-citadel/blob/84596551d62f243d13fcb2d486346dde08002f7b/contracts/TokenSaleUpgradeable.sol#L96-L131 https://github.com/code-423n4/2022-02-badger-citadel/blob/84596551d62f243d13fcb2d486346dde08002f7b/contracts/TokenSaleUpgradeable.sol#L355-L369 https://github.com/code-423n4/2022-02-badger-citadel/blob/84596551d62f243d13fcb2d486346dde08002f7b/contracts/TokenSaleUpgradeable.sol#L144-L205
The contract is vulnerable to rogue pool attack.
The owner is not forced to transfer the out tokens in any moment, the contract must have the balance for call finalize, but if the investors buy with the hope of claim, and the owner never send the out tokens, the owner will be able to take the inTokens without any loss, just calling sweep.
sweep without finalizetokenOut during initialize#0 - 0xleastwood
2022-03-14T10:17:14Z
I think this is in-line with other concerns about a potentially malicious owner. To be consistent, I'll mark all such issues as medium severity.
#1 - 0xleastwood
2022-03-14T10:19:41Z
The warden has identified an issue where the owner of the sale refused to finalise. Hence, tokens will never be sent to legitimate buyers and the sale recipient still receives their tokens.
#2 - 0xleastwood
2022-03-14T10:29:59Z
Duplicate of #60
#3 - 0xleastwood
2022-03-14T10:49:01Z
Duplicate of #50
#4 - 0xleastwood
2022-03-16T12:38:31Z
Duplicate of #61
123.3709 USDC - $123.37
The code that contains "open todos" reflects that the development is not finished and that the code can change a posteriori, prior release, with or without audit
Source reference:
The openzeppelin imports used reflect that they use local paths, so it is possible that these code have been modified, are obsolete or they can contain vulnerabilities, being out of scope they could not be audited, but without a doubt it is a bad practice not to use them of official packages
Source reference:
There are a lot of methods that allow the owner to modify the rules of the game while the token sale is open, and while the investors have already made the decision to invest or not according to the current rules.
The following functions should only be called BEFORE the output has been started
Source reference:
A possible risk involved with the admin account is that they are in a position to buy all the sale, because during the initialize method the _saleStart can be set exactly to the current block date (line 107), and it is also possible to call buy on the current block date (line 149).
So we can conclude that it is possible to initialize and buy all the token sale in the same block.
Source reference: