Platform: Code4rena
Start Date: 13/05/2022
Pot Size: $30,000 USDC
Total HM: 8
Participants: 65
Period: 3 days
Judge: hickuphh3
Total Solo HM: 1
Id: 125
League: ETH
Rank: 23/65
Findings: 3
Award: $94.79
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: pedroais
Also found by: 0x4non, 0x52, 0xf15ers, 0xliumin, CertoraInc, Dravee, GimelSec, IllIllI, MaratCerby, StErMi, TerrierLover, WatchPug, berndartmueller, cccz, dipp, fatherOfBlocks, hake, hickuphh3, hyh, isamjay, mtz, oyc_109, p4st13r4, peritoflores, rotcivegaf, saian, simon135, sorrynotsorry, sseefried, tabish, z3s
14.8433 USDC - $14.84
We return before the require in the LidoVault. This means we could fail to send ETH back to the user and keep executing. Marking this as high because a user could inadvertently lose all their deposited funds.
#0 - sforman2000
2022-05-18T03:11:34Z
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xf15ers, 0xkatana, 0xliumin, AlleyCat, BouSalman, Dravee, Funen, GimelSec, Hawkeye, MaratCerby, Picodes, StErMi, TerrierLover, WatchPug, Waze, berndartmueller, bobirichman, cryptphi, csanuragjain, defsec, delfin454000, dipp, fatherOfBlocks, hake, hickuphh3, hyh, joestakey, kebabsec, mics, mtz, oyc_109, p4st13r4, p_crypt0, robee, rotcivegaf, sikorico, simon135, sorrynotsorry, tintin
44.9929 USDC - $44.99
The deposit amount and msg.value aren't necessarily the same, so the amount in the event that's sent might not be representative of the amount that was actually deposited: https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/GeneralVault.sol#L88
#0 - HickupHH3
2022-06-06T04:14:02Z
While I agree, that check is pushed to _depositToYieldPool()'s implementation. I'll leave this as a low-severity, but deduct points for incomplete description and mitigation.
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xNazgul, 0xf15ers, 0xkatana, 0xliumin, Cityscape, Dravee, Fitraldys, Funen, GimelSec, Hawkeye, JC, MaratCerby, SooYa, StErMi, Tomio, WatchPug, Waze, bobirichman, defsec, delfin454000, fatherOfBlocks, hake, hansfriese, hickuphh3, ignacio, joestakey, kebabsec, mics, mtz, oyc_109, robee, rotcivegaf, samruna, sikorico, simon135, z3s
34.9587 USDC - $34.96
Solidity 0.8.x has some gas improvements that make it worth upgrading. This will also enable you to use custom errors, which also save gas.
You could consider making the vault an ERC20 token itself on initialization instead of creating a new contract for that. That way, you don't have to do a bunch of external calls to find out how many decimals it is, or mint them.
This changes if you upgrade to modern solidity and use certain build tools, but != 0 is more gas efficient than > 0 https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/LidoVault.sol#L36
https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/LidoVault.sol#L59 You already have the WETH address stored in a vriable, use it here instead of pulling from the addresses provider.
for (uint256 i = 0; i < length - 1; i++) { assetYields[i].asset = assets[i]; assetYields[i].amount = _totalYieldAmount.percentMul( volumes[i].mul(PercentageMath.PERCENTAGE_FACTOR).div(totalVolume) ); extraYieldAmount = extraYieldAmount.sub(assetYields[i].amount); } assetYields[length - 1].amount = extraYieldAmount;
That way, you don't have to do the awkward check for being on the last index.