Platform: Code4rena
Start Date: 22/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 133
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 165
League: ETH
Rank: 22/133
Findings: 2
Award: $156.95
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: __141345__
Also found by: Bahurum, Ch_301, Chom, Respx, Trust, datapunk, ronnyx2017
128.9427 USDC - $128.94
https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L177-L178 https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L87 https://github.com/corddry/ERC4626/blob/643cd044fac34bcbf64e1c3790a5126fec0dbec1/src/xERC4626.sol#L78-L97
malicious users will steal the rewards from the vault sfrxETH.sol
On frxETHMinter.sol:
submitPaused == true for the last three weeks. so no one can _submit() eth even to convert rewards by Multisig Treasury Contract
All these rewards for the past 3 weeks are staked on the Multisig Treasury Contract
On sfrxETH.sol:
syncRewards() was invoked three times (as we know Multisig Treasury Contract have no frxETH to transfer it).
On frxETHMinter.sol:
At the end of the fourth week, submitPaused will be submitPaused == false
So now Multisig Treasury Contract can convert ETH to frxETH
At the same time, Alice will submit() an amount of ETH
On sfrxETH.sol:
When (block.timestamp > rewardsCycleEnd) == true
And before invoking syncRewards() by anyone or the bot (or the bot is not working)
Alice will deposit() or mint() all the frxETH to sfrxETH
Now after one-day syncRewards() is invoked successfully
Alice now can redeem() or withdraw() with a higher exchange rate and steal the reward of the last month even though he only was deposited yesterday in the vault
In case the submitPaused == true for long time
The Multisig Treasury Contract need to be only able to _submit()
And then someone needs to invoke syncRewards()
After that opens, the _submit() for the public users
#0 - FortisFortuna
2022-09-26T17:15:00Z
From @denett syncRewards should be called by us at the beginning of each period, or we need to automatically call it before deposits/withdrawals.
#1 - FortisFortuna
2022-09-26T17:30:00Z
🌟 Selected for report: rotcivegaf
Also found by: 0x040, 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, B2, Bahurum, Bnke0x0, Ch_301, CodingNameKiki, Deivitto, Diana, Funen, IllIllI, JC, JLevick, KIntern_NA, Lambda, OptimismSec, PaludoX0, RockingMiles, Rolezn, Sm4rty, Soosh, Tagir2003, Tointer, TomJ, Triangle, Trust, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, asutorufos, ayeslick, aysha, bbuddha, bharg4v, bobirichman, brgltd, bytera, c3phas, cryptostellar5, cryptphi, csanuragjain, datapunk, delfin454000, durianSausage, exd0tpy, gogo, got_targ, jag, joestakey, karanctf, ladboy233, leosathya, lukris02, mics, millersplanet, natzuu, neko_nyaa, obront, oyc_109, parashar, peritoflores, rbserver, ret2basic, rokinot, ronnyx2017, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, tnevler, yasir, yongskiws
28.0141 USDC - $28.01
Set it to true before the deposit
File: /src/frxETHMinter.sol activeValidators[pubKey] = true;
https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L151
the deposit() on ERC4626 checked it on the top of the function
File: /src/frxETHMinter.sol require(sfrxeth_recieved > 0, 'No sfrxETH was returned');
https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L79