Platform: Code4rena
Start Date: 23/05/2022
Pot Size: $75,000 USDC
Total HM: 23
Participants: 75
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 13
Id: 130
League: ETH
Rank: 15/75
Findings: 4
Award: $848.64
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xf15ers
Also found by: 0x52, Ruhum, WatchPug, berndartmueller, cccz, horsefacts, hyh, minhquanym, pauliax
https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Bribe.sol#L41-L57 https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Gauge.sol#L590-L624
Blocking legitimate bribes and purposely causing high gas fees
notifyRewardAmount allows any user to add any reward to any token gauge. The bribe is limited to 16 reward tokens so a malicious user can fill all open spots blocking legitimate projects from using the bribe system unless the team intervenes to swap the reward out. This effectively makes the bribe system permissioned anyways defeating the point of leaving it open in the first place. Additionally when a user withdraws or deposits from a gauge it updates every single reward token because of the call to _updateRewardForAllTokens. By filling the gauge with spam tokens the malicious user can cause a lot of unnecessary gas fees for all users.
The easiest solution would be to limit the bribe/tokens to a whitelist of either approved tokens or approved bribers. The other option would be to spin of the non-core bribes into a separate reward contract like convex does with vlCvxExtraRewardDistribution.sol
#0 - pooltypes
2022-06-13T15:52:06Z
Duplicate of #182
#1 - GalloDaSballo
2022-06-28T22:37:06Z
Dup of #182
🌟 Selected for report: MiloTruck
Also found by: 0x52, Dravee, IllIllI, MaratCerby, WatchPug, unforgiven
https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Bribe.sol#L50 https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Gauge.sol#L604 https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Gauge.sol#L610
Failed transactions and stuck tokens
Since it allows any arbitrary token for bribes if using a fee on transfer token then the amount received could be less than expected when calling transfer
Read the token balance before and after transfer and calculate the actual amount received from the difference
#0 - pooltypes
2022-06-13T15:54:35Z
Duplicate of #222
#1 - GalloDaSballo
2022-06-28T22:38:47Z
Dup of #222
🌟 Selected for report: unforgiven
unable to distribute bribes or rewards to attacked gauge
distribute call _gauge.deliverBribes which transfers ALL reward tokens. Since anyone can add a reward token, a user can create a malicious erc20 token that can't be transferred by the bribe contract. This would block all rewards from being transferred from the bribe contract because it's batch transferred.
Make adding bribes a permissioned action
#0 - pooltypes
2022-06-14T01:49:43Z
Duplicate of #222
#1 - GalloDaSballo
2022-06-28T23:40:47Z
Dup of #138
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x52, 0xNazgul, 0xNineDec, AlleyCat, BouSalman, CertoraInc, Chom, Dravee, Funen, GimelSec, Hawkeye, MaratCerby, Nethermind, Picodes, RoiEvenHaim, SooYa, TerrierLover, WatchPug, _Adam, asutorufos, berndartmueller, c3phas, catchup, cccz, cryptphi, csanuragjain, delfin454000, djxploit, fatherOfBlocks, gzeon, hake, hansfriese, horsefacts, hyh, jayjonah8, minhquanym, oyc_109, p_crypt0, pauliax, robee, rotcivegaf, sach1r0, sashik_eth, simon135, sorrynotsorry, teddav, unforgiven, xiaoming90
101.6421 USDC - $101.64
Significantly higher emissions than intended
Distribution of team reward in uses precision as the denominator which has a value of 1000:
This means that the team rate of 30 specified in the constructor is not 30 bps as indented but actually 300 bps
Change precision to 10000 or adjust team rate to 3
#0 - GalloDaSballo
2022-06-25T20:47:37Z
@pooltypes it does seem like PRECISION is 1_000 instead of 10_000, meaning that the denomination is not in BPS, can you double check please?
#1 - GalloDaSballo
2022-06-28T22:51:49Z
From reading the docs the emission math is properly documented
Waiting for any feedback by @pooltypes but we can downgrade to QA if 3% is the intended value
#2 - GalloDaSballo
2022-07-01T00:46:52Z
With the information that I have, I think the finding to be valid and of QA Severity (Comment wrong, code consistent with docs)
#3 - GalloDaSballo
2022-07-02T00:45:20Z
Valid Low