Platform: Code4rena
Start Date: 14/04/2022
Pot Size: $75,000 USDC
Total HM: 8
Participants: 72
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 2
Id: 110
League: ETH
Rank: 21/72
Findings: 3
Award: $667.43
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: cccz
Also found by: 0xBug, 0xDjango, CertoraInc, TrungOre, VAD37, berndartmueller, georgypetrov, horsefacts, m9800, pedroais, rayn, reassor, scaraven, wuwe1
431.1404 USDC - $431.14
Detailed description of the impact of this finding.
After depositing into StakedCitadel user would be unable to withdraw their funds. Even though the contract is upgradeable this is a High Risk issue as a error in _withdraw() would cause the funds to be locked into the contract causing the team to go through chaos of timelock / multisig to upgrade the contract + cause reputation damage.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
In function https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/StakedCitadel.sol#L808 when setting up the user vesting period https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/StakedCitadel.sol#L830 there is no function as setupVesting in https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/StakedCitadelVester.sol#L132
StakedCitadelVester::vest() -> StakedCitadelVester::setupVesting()OR
function vest( address recipient, uint256 _amount, uint256 _unlockBegin ) external;
#0 - GalloDaSballo
2022-04-23T02:05:17Z
YE
#1 - jack-the-pug
2022-05-30T08:49:20Z
Dup #9
184.248 USDC - $184.25
Detailed description of the impact of this finding. whenever there is no discount on funding, user facing function ie. deposit(), getAmountOut() breaks in Funding.sol
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
When funding.discount is zero citadelAmount_ is zero therefore the out amount would be always zero
if (funding.discount > 0) { citadelAmount_ = (citadelAmountWithoutDiscount * MAX_BPS) / (MAX_BPS - funding.discount); } else { citadelAmount_ = citadelAmountWithoutDiscount; }
#0 - GalloDaSballo
2022-04-23T02:05:11Z
Yes
#1 - jack-the-pug
2022-06-05T04:41:09Z
Dup #149
🌟 Selected for report: Dravee
Also found by: 0v3rf10w, 0x1f8b, 0xAsm0d3us, 0xBug, 0xDjango, 0xNazgul, 0xkatana, CertoraInc, Cityscape, Funen, Hawkeye, IllIllI, MaratCerby, SolidityScan, TerrierLover, TomFrenchBlockchain, Tomio, TrungOre, bae11, berndartmueller, csanuragjain, defsec, delfin454000, ellahi, fatherOfBlocks, gs8nrv, gzeon, horsefacts, ilan, jah, joestakey, joshie, kebabsec, kenta, nahnah, oyc_109, rayn, rfa, robee, saian, securerodd, simon135, slywaters, sorrynotsorry, tchkvsky, teryanarmen, z3s
52.043 USDC - $52.04
funding.discount in Funding.sol::getAmount(). Would save ~100 gas. Change -function getAmountOut(uint256 _assetAmountIn) public view returns (uint256 citadelAmount_) { uint256 citadelAmountWithoutDiscount = _assetAmountIn * citadelPriceInAsset; uint256 discount = funding.discount; if (discount != 0) { citadelAmount_ = (citadelAmountWithoutDiscount * MAX_BPS) / (MAX_BPS - discount); } else { citadelAmount_ = citadelAmountWithoutDiscount; } citadelAmount_ = citadelAmount_ / assetDecimalsNormalizationValue; }
uint256 lockingAmount; uint256 stakingAmount; uint256 fundingAmount;