Platform: Code4rena
Start Date: 30/11/2021
Pot Size: $100,000 USDC
Total HM: 15
Participants: 36
Period: 7 days
Judge: 0xean
Total Solo HM: 4
Id: 62
League: ETH
Rank: 27/36
Findings: 3
Award: $871.45
🌟 Selected for report: 2
🚀 Solo Findings: 0
🌟 Selected for report: toastedsteaksandwich
Also found by: Meta0xNull, Omik, ScopeLift, bitbopper, gzeon, pedroais, wuwe1
Omik
In the stream contract the inherited governance is allowed to call arbitraryCall() function with the intention to claiming any airdrop that may have accrued on behalf of this contract, and protect the deposittoken and rewardtoken balance with a require check on https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L749, however the data is controllable by the inherited governance, which can lead to the governance calling an approval function, and executing for an unlimited approval of the incentives token that will be frontrun, and the attacker would monitor the mempool for a createincentives() function call, and before the createincentives() get executed, the attacker make the first move by make an arbitrary call to execute an unlimited approval for the token that will be use to createincentives, and the other way the attacker could request an unlimited approval for any major token like USDC, USDT, before other user create any incentives.
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L733
#0 - brockelmore
2021-12-06T16:50:13Z
duplicate #107
#1 - 0xean
2022-01-14T21:57:12Z
dupe of #199
362.6168 USDC - $362.62
Omik
In the https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/LockeERC20.sol#L95, is similar with the erc20, however there is a missing address(0) check on transfer() and transferfrom(), this can lead to accidental transfer to address(0), this will be treated as burning token, without reducing the total supply, since the transfer event is emitted.
#0 - brockelmore
2021-12-06T17:22:19Z
Transfers to 0 address are fine.
#1 - 0xean
2022-01-15T01:58:31Z
Marking down to low risk as it will change the total supply and does diverge from best practices as outlined by open zep - https://github.com/OpenZeppelin/openzeppelin-contracts/blob/3eb2d43b0610758c6b85bf4b8ae160db3679c34d/contracts/token/ERC20/ERC20.sol#L233
27.0568 USDC - $27.06
Omik
In the https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L472 the withdraw and stake function there is unnecessary else statement which didnt have any command inside it, this can lead to gas consumption more expensive then using only if statement for isSale check.
pragma solidity ^0.8.0;
contract testing {
uint public counter; function test()public { if(true){ counter += 1; }else{ } }//43582 gas function test2()public { if(true){ counter += 1; } }//26449 gas
}
#0 - brockelmore
2021-12-06T18:55:37Z
Note: your test is wrong because u called test2 after so the sstore cost is different. in reality, this saves 15 gas