Platform: Code4rena
Start Date: 27/10/2022
Pot Size: $33,500 USDC
Total HM: 8
Participants: 96
Period: 3 days
Judge: kirk-baird
Total Solo HM: 1
Id: 176
League: ETH
Rank: 13/96
Findings: 2
Award: $494.96
🌟 Selected for report: 0
🚀 Solo Findings: 0
314.3177 USDC - $314.32
https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L387 https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L432
The pledge creator must send more rewards than necessary in order to extend their pledge end timestamp or increase the reward per vote. This is because the calculation to determine the amount of rewards to send uses the original pledgeParams.votesDifference set at the time of pledge creation instead of the current balance of the receiver.
Take the following example, illustrating the calculation of rewards to send using the original vote difference:
uint256 totalRewardAmount = (pledgeParams.rewardPerVote * pledgeParams.votesDifference * addedDuration) / UNIT;
targetVotes = 500.Manual review.
Function calls to extend the pledge or increase the reward per vote must take the current vote difference instead of the original difference set at pledge creation.
#0 - trust1995
2022-10-30T21:02:38Z
Nice, dup of my report at #234
#1 - Kogaroshi
2022-10-31T00:33:19Z
#2 - c4-judge
2022-11-10T23:07:20Z
kirk-baird marked the issue as satisfactory
#3 - c4-judge
2022-11-10T23:07:25Z
kirk-baird marked the issue as not a duplicate
#4 - c4-judge
2022-11-10T23:07:32Z
kirk-baird marked the issue as duplicate of #163
🌟 Selected for report: robee
Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas
180.6401 USDC - $180.64
The _pledge() function contains checks ensuring that the endTimestamp is not greater than the pledgeParams.endTimestamp and that endTimestamp is rounded to the week, but it does not check that endTimestamp is larger than some minimum pledge time. Currently, an "attacker" or griefer can pledge a large amount for a small amount of time. They can pledge for a length of time where the receiver may not even have enough time to submit a transaction to take advantage of the boost.
This most likely will not provide a large monetary incentive to the attacker, but the pledge creator's reward funds will be paid out for no reason.
endTimestamp equal to the upcoming week timestamp (10 minutes away).Add a check for MIN_PLEDGE_TIME, a constant equal to a value that makes sense, e.g. 86400 (1 day).
#0 - trust1995
2022-10-30T21:57:00Z
I assumed the delegated boost which increases creator's balanceOf increases his earnings passively, but maybe I was wrong.
#2 - kirk-baird
2022-11-11T08:22:46Z
I agree with trust1995 that the rewards are earned passively so the creator does not need to act in these 10 minutes.
However, a minimum timestamp is recommended to prevent front-running other pledgers with one second durations. Since the warden did not describe a valid DoS vector but it is a valid issue I'm going to consider this QA.
#3 - c4-judge
2022-11-11T08:22:52Z
kirk-baird changed the severity to QA (Quality Assurance)
#4 - c4-judge
2022-11-12T00:14:09Z
kirk-baird marked the issue as grade-b
#5 - c4-judge
2022-11-12T00:14:24Z
kirk-baird marked the issue as grade-a