Platform: Code4rena
Start Date: 25/11/2021
Pot Size: $80,000 USDC
Total HM: 35
Participants: 32
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 27
Id: 59
League: ETH
Rank: 24/32
Findings: 3
Award: $413.40
π Selected for report: 1
π Solo Findings: 0
π Selected for report: thank_you
Also found by: 0x0x0x, Koustre, Meta0xNull, WatchPug, cmichel, defsec, harleythedog, hyh, leastwood, pauliax, pmerkleplant, tabish, xYrYuYx
Koustre
Any user or contract that has the buyer role that uses the functions buyMalt and sellMalt will be vulnerable to sandwich attacks from bots that will causes slippage loses to users.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
amountOutMin in within the router function swapExactTokensForTokens#0 - 0xScotch
2021-12-10T00:17:31Z
#219
#1 - GalloDaSballo
2022-01-25T00:50:11Z
Duplicate of #219
Koustre
uint256 rewardDecimals = rewardToken.decimals(); in function trackPoolReserves is unused.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Remove this if it is unnecessary
#0 - 0xScotch
2021-12-08T15:55:09Z
#158
#1 - GalloDaSballo
2022-01-25T00:50:37Z
Duplicate of #158
π Selected for report: Koustre
367.919 USDC - $367.92
Koustre
In UniswapHandler, in the function removeBuyer there is a for loop over an unbounded Buyers array, which if the buyers array gets too large can cause a denial of service and prevents the contract from being able to remove buyer roles from users/contracts. This would allow users/contracts to circumvent recovery mode and to continue to purchase and sell tokens using the contract.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
#0 - 0xScotch
2021-12-08T11:59:00Z
This will not allow circumventing recovery mode unless a malicious buyer is explicitly added by an admin. The bug doesn't impact funds but does impact protocol availability which by label definitions should be medium not high.
#1 - GalloDaSballo
2022-01-09T23:16:31Z
The finding mentions an unbound loop on removeBuyer, if the array reaches too big of a size you could go over the gas limit for a block and as such any function would revert, that is possible.
However, this is an external function, as such bricking it would have no impact on the rest of the contract.
Additionally, because the protocol uses Uniswap, even if the protocol was bricked, the uniswap pools would still work.
Lastly, in the incredibly unlikely scenario of reaching the gas limit, bricking this function simply means you won't be able to remove Buyers from the protocol. Which would only impact the buyMalt function, which is just a utility function to buy from the Uniswap Pool.
As such the impact of the finding is effectively nil.
I will downgrade to Low Severity because the warden has shown a way to brick a function, but the economic and availability impact is not meaningful in my opinion