Platform: Code4rena
Start Date: 13/05/2022
Pot Size: $30,000 USDC
Total HM: 8
Participants: 65
Period: 3 days
Judge: hickuphh3
Total Solo HM: 1
Id: 125
League: ETH
Rank: 14/65
Findings: 2
Award: $382.41
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: pedroais
Also found by: 0x4non, 0x52, 0xf15ers, 0xliumin, CertoraInc, Dravee, GimelSec, IllIllI, MaratCerby, StErMi, TerrierLover, WatchPug, berndartmueller, cccz, dipp, fatherOfBlocks, hake, hickuphh3, hyh, isamjay, mtz, oyc_109, p4st13r4, peritoflores, rotcivegaf, saian, simon135, sorrynotsorry, sseefried, tabish, z3s
14.8433 USDC - $14.84
ETH transfer fails but transaction doesn't revert trapping user ETH
L142 requires that send is true (i.e. successful ETH transfer) but it is placed after the return statement in L141. This means that sent is never checked because the function will always return beforehand. If transfer fails then transaction will not revert as intended and user funds will be permanently locked in contract
Reverse order of L141 and L142 so sent is checked correctly
#0 - sforman2000
2022-05-18T03:11:53Z
367.5749 USDC - $367.57
Swap slippage of 5% allows malicious parties sandwich attack distributeYield swaps
Swap slippage of 5% allows significant extraction of funds from swaps via sandwich attack. The worst offender of this is the stable-stable swaps which realistically should never have slippage higher than 0.5%.
Slippage should be specified when calling the distributeYield function according to the asset being swapped and the current market conditions. Keep current 5% slippage as a max to prevent malicious behavior, but in a majority of cases 5% is way overkill and will lead to sandwich vulnerability
#0 - sforman2000
2022-05-18T04:17:19Z
We believe that this issue is mitigated by using flashbots and the fact that only admin can call distributeYield.
#1 - HickupHH3
2022-06-03T07:45:08Z
Duplicate of #61 with MEV attack path.