Platform: Code4rena
Start Date: 31/01/2023
Pot Size: $90,500 USDC
Total HM: 47
Participants: 169
Period: 7 days
Judge: LSDan
Total Solo HM: 9
Id: 211
League: ETH
Rank: 168/169
Findings: 1
Award: $3.57
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xNineDec
Also found by: 0xBeirao, 0xNazgul, 0xRajkumar, Blockian, Breeje, CRYP70, Josiah, KIntern_NA, MyFDsYours, Qeew, RaymondFam, Ruhum, UdarTeam, chaduke, giovannidisiena, gjaldon, immeas, koxuan, nadin, peanuts, rbserver, rvi0x, savi0ur
3.571 USDC - $3.57
https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/Vault.sol#L147
A malicious early user can front-run future user by sending large amount directly to contract without using deposit function which cause future user to mint zero share even with amount greater than zero.
1.First user deposit 1 wei and in return he will get 1 wei share 2.Second user deposit 1 ether then first user will front-run and send 1 ether directly to contract 3.Second user will get zero share because then denominator will be higher than numerator
Solidity visual developer
We can use Initial deposit greater than 1000 like uniswap because then first user will have to send amount greater than 1000*(second user amount) which is impractical.
#0 - c4-judge
2023-02-16T03:30:08Z
dmvt marked the issue as duplicate of #15
#1 - c4-sponsor
2023-02-18T11:54:37Z
RedVeil marked the issue as sponsor confirmed
#2 - c4-judge
2023-02-23T00:58:43Z
dmvt marked the issue as partial-25