Platform: Code4rena
Start Date: 04/05/2022
Pot Size: $50,000 DAI
Total HM: 24
Participants: 71
Period: 5 days
Judge: Justin Goro
Total Solo HM: 14
Id: 119
League: ETH
Rank: 20/71
Findings: 3
Award: $387.78
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: cccz
Also found by: 0x52, 0xYamiDancho, GimelSec, IllIllI, PPrieditis, WatchPug, csanuragjain, danb, gzeon, hickuphh3, horsefacts, hyh, kenzo, leastwood, reassor, unforgiven
63.9296 DAI - $63.93
Contract overcharges user
L79 passes through the entire ether balance sent. Since price decays each block it is likely that the transaction won't be processed during the same block that it was submitted. In situations like this the price at transaction confirmation will be lower (due to decay) than the amount of ether sent
passThruGate should only take calculated price and should either return excess or allow excess to be claimed using a separate refund function
#0 - illuzen
2022-05-11T09:18:56Z
duplicate #48
#1 - gititGoro
2022-06-14T02:43:31Z
User funds lost: increasing severity.
🌟 Selected for report: MaratCerby
Also found by: 0x1337, 0x52, 0xYamiDancho, AuditsAreUS, CertoraInc, Dravee, GimelSec, IllIllI, PPrieditis, Ruhum, TrungOre, VAD37, berndartmueller, cccz, csanuragjain, defsec, hickuphh3, horsefacts, hyh, jayjonah8, kenzo, leastwood, mtz, p4st13r4, reassor, throttle, wuwe1, ych18
3.1753 DAI - $3.18
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/PermissionlessBasicPoolFactory.sol#L144 https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/PermissionlessBasicPoolFactory.sol#L249-L252 https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/PermissionlessBasicPoolFactory.sol#L224-L230
Pool creator is able to specify any asset token so it is possible to create a pool with reward tokens that support fee on transfer
Portion of funds permanently stuck in contract
When pool is funded, total reward distribution is set to the amount transferred. When token supports fee on transfer, the total tokens received will be less the fee amount. This means the contract has less of the token than it expects. This leads to one of two outcomes. If the reward schedule finishes and there are excess tokens then the following code will fail when trying to transfer the fee on transfer token:
This would cause all excess rewards of all token types to be permanently stuck with no way to recover them. In the second case where all rewards are allocated, the last receipt to withdraw will always fail at the following lines because there will not be enough of the fee to transfer token to complete the transfer because of the fee taken during transfer to the pool:
This would cause all funds associated with receipt to be permanently locked in the contract with no way to recover them
During pool funding, set reward funding to the actual amount of tokens received from the transfer rather than the specified transfer amount
#0 - illuzen
2022-05-11T09:47:56Z
Duplicate #34
🌟 Selected for report: AuditsAreUS
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/PermissionlessBasicPoolFactory.sol#L242-L256 https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/PermissionlessBasicPoolFactory.sol#L189-L196
Attacker can DOS withdrawExcessRewards keeping excess funds locked in contract until huge gas fees are paid
All receipts must be cashed out before pool creator can call withdrawExcessRewards() because of the check below:
A new receipt is created for each deposit in the lines below:
This would allow the attacker to create lots of tiny deposits (i.e. 1 wei each). This would cost a large amount of gas to remove since each withdrawal would require a minimum of 2 token transfers (1 for underlying and 1 minimum rewards). This cost increasing higher and higher with each additional reward token.
Allow pool creator to set minimum deposit size or update deposit function to payout accumulated rewards when an address repeat deposits
#0 - illuzen
2022-05-12T04:39:32Z
Duplicate of #54