Platform: Code4rena
Start Date: 15/12/2022
Pot Size: $128,000 USDC
Total HM: 28
Participants: 111
Period: 19 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 194
League: ETH
Rank: 105/111
Findings: 1
Award: $14.30
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xbepresent
Also found by: 0Kage, Atarpara, Ch_301, Manboy, cozzetti, datapunk, immeas, kaliberpoziomka8552, peritoflores, rvierdiiev, sces60107, unforgiven, wagmi, yixxas
14.2999 USDC - $14.30
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L163 https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L530
As per natspec comment multisig can finish minipool if minipool status is error but due to lack of check multisig able to finish minipool if pool status is withdrawable. This can lead into loss avax and reward avax of owner.
Owner Loss Can Loss RewardAVAX.
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L163 https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L530
Manual Review
Change the requireValidStateTransition according your logic.
#0 - GalloDaSballo
2023-01-10T08:56:23Z
Missing basic explanation, awarding half
#1 - c4-judge
2023-01-10T08:56:35Z
GalloDaSballo marked the issue as duplicate of #581
#2 - c4-judge
2023-01-10T08:56:40Z
GalloDaSballo marked the issue as partial-50
#3 - c4-judge
2023-01-26T18:54:26Z
GalloDaSballo marked the issue as duplicate of #723
#4 - c4-judge
2023-01-29T15:27:50Z
GalloDaSballo marked the issue as partial-25
#5 - GalloDaSballo
2023-01-29T15:27:55Z
After checking the best reports, am downgrading further