Back to Metatron's contests

Yieldy contest - Metatron's results

A protocol for gaining single side yields on various tokens.

General Information

Platform: Code4rena

Start Date: 21/06/2022

Pot Size: $50,000 USDC

Total HM: 31

Participants: 99

Period: 5 days

Judges: moose-code, JasoonS, denhampreen

Total Solo HM: 17

Id: 139

League: ETH

Yieldy

Findings Distribution

Researcher Performance

Rank: 40/99

Findings: 2

Award: $125.58

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryYieldy

Findings Information

🌟 Selected for report: 0xDjango

Also found by: BowTiedWardens, Metatron, cccz, hansfriese, shung, ych18, zzzitron

Labels

bug
duplicate
2 (Med Risk)
resolved
sponsor confirmed

Awards

72.4441 USDC - $72.44

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L78-L81 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L157-L160

Vulnerability details

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L78-L81 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L157-L160

Impact

Inability to set or change curve pool after initialization will hurt the project liquidity and block the ability to instant unstake from curve.

  • Approving the CURVE_POOL address is done only on initialize and only if non zero address supplied.
  • When using setCurvePool the address changes but not approved, therefore instantUnstakeCurve will fail with any parameters.

Proof of Concept

Tools Used

Yarn Hardhat

Add approve to setCurvePool so it will look like this:

    function setCurvePool(address _curvePool) external onlyOwner {
        CURVE_POOL = _curvePool;
        IERC20(TOKE_POOL).approve(CURVE_POOL, type(uint256).max);
        setToAndFromCurve();
    }

#0 - toshiSat

2022-06-27T18:23:47Z

sponsor confirmed

#1 - KenzoAgada

2022-08-26T08:55:52Z

The judging sheet mentions this as duplicate of https://github.com/code-423n4/2022-06-yieldy-findings/issues/222 instead of https://github.com/code-423n4/2022-06-yieldy-findings/issues/165.

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1337, 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, FudgyDRS, Funen, GalloDaSballo, GimelSec, JC, Kaiziron, Lambda, Limbooo, Metatron, MiloTruck, Noah3o6, Picodes, PumpkingWok, PwnedNoMore, Sm4rty, StErMi, TomJ, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ak1, antonttc, berndartmueller, cccz, cryptphi, csanuragjain, defsec, delfin454000, dipp, elprofesor, exd0tpy, fatherOfBlocks, hake, hansfriese, hubble, joestakey, kenta, ladboy233, mics, oyc_109, pashov, pedr02b2, reassor, robee, samruna, scaraven, shung, sikorico, simon135, sseefried, tchkvsky, unforgiven, zzzitron

Awards

53.1414 USDC - $53.14

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

[L-01] Duplicate code block https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L84-L91

Approving twice with the same parameters - redundant and gas consuming.

[N-01] Using V1 token name FOX in comments where is not appropriate https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L138 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L367

  • Change to yieldy token

#0 - toshiSat

2022-06-27T17:09:48Z

sponsor approved

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter