Platform: Code4rena
Start Date: 13/05/2022
Pot Size: $30,000 USDC
Total HM: 8
Participants: 65
Period: 3 days
Judge: hickuphh3
Total Solo HM: 1
Id: 125
League: ETH
Rank: 27/65
Findings: 3
Award: $86.25
π Selected for report: 0
π Solo Findings: 0
π Selected for report: pedroais
Also found by: 0x4non, 0x52, 0xf15ers, 0xliumin, CertoraInc, Dravee, GimelSec, IllIllI, MaratCerby, StErMi, TerrierLover, WatchPug, berndartmueller, cccz, dipp, fatherOfBlocks, hake, hickuphh3, hyh, isamjay, mtz, oyc_109, p4st13r4, peritoflores, rotcivegaf, saian, simon135, sorrynotsorry, sseefried, tabish, z3s
14.8433 USDC - $14.84
ETH transefer is not checked properly
Function will return successfully even if the transfer of ETH failed
in smart-contracts/LidoVault.sol#L141-L142 the function returns before checking that the ETH is sent properly. This may cause the function successfully returning even if the ETH transfer failed and eventually causes fund loss for the user.
Manual Analysis
Check that the ETH transfer is successful before function returns
// Before return receivedETHAmount; require(sent, Errors.VT_COLLATERAL_WITHDRAW_INVALID); // After require(sent, Errors.VT_COLLATERAL_WITHDRAW_INVALID); return receivedETHAmount;
#0 - sforman2000
2022-05-18T01:32:38Z
Duplicate of https://github.com/code-423n4/2022-05-sturdy-findings/issues/157 (high risk)
π Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xf15ers, 0xkatana, 0xliumin, AlleyCat, BouSalman, Dravee, Funen, GimelSec, Hawkeye, MaratCerby, Picodes, StErMi, TerrierLover, WatchPug, Waze, berndartmueller, bobirichman, cryptphi, csanuragjain, defsec, delfin454000, dipp, fatherOfBlocks, hake, hickuphh3, hyh, joestakey, kebabsec, mics, mtz, oyc_109, p4st13r4, p_crypt0, robee, rotcivegaf, sikorico, simon135, sorrynotsorry, tintin
47.0487 USDC - $47.05
DepositCollateral uses _amount as parameter which may be wrong while depositing etherin smart-contracts/GeneralVault.sol#L88 the event DepositCollateral uses _amount as parameter which may be wrong. For eg. in case of depositing ETH (implementation in smart-contracts/LidoVault.sol#L79-L104) the actual amount is taken from msg.value rather than user provided _amount. This will lead to reporting a false amount in the Events if the user calls the function with different _amount than the amount of ETH provided(i.e. msg.value).
use _stAssetAmount in the event rather than _amount to use correct avount of asset recieved in the function. Also use stAsset instead of _asset to be sure the actual asset deposited is being reported.
emit DepositCollateral(_stAsset, msg.sender, _stAssetAmount);
The event WithdrawCollateral is also called with _amount in smart-contracts/GeneralVault.sol#L127 which is correct for now across all implementations, but its better to change it to _stAssetAmount to make sure it stays correct for future implementations too.
#0 - HickupHH3
2022-06-06T06:42:22Z
low severity
π Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xNazgul, 0xf15ers, 0xkatana, 0xliumin, Cityscape, Dravee, Fitraldys, Funen, GimelSec, Hawkeye, JC, MaratCerby, SooYa, StErMi, Tomio, WatchPug, Waze, bobirichman, defsec, delfin454000, fatherOfBlocks, hake, hansfriese, hickuphh3, ignacio, joestakey, kebabsec, mics, mtz, oyc_109, robee, rotcivegaf, samruna, sikorico, simon135, z3s
24.3601 USDC - $24.36
// Before for (uint256 i = 0; i < _count; i++) { ...... } // After for (uint256 i = 0; i < _count; ++i) { }
assetYields.length can be cached to save gas// Before for (uint256 i = 0; i < assetYields.length; i++) { ... } // After uint len = assetYields.length; for (uint256 i = 0; i < len; ++i) { }