Platform: Code4rena
Start Date: 13/05/2022
Pot Size: $30,000 USDC
Total HM: 8
Participants: 65
Period: 3 days
Judge: hickuphh3
Total Solo HM: 1
Id: 125
League: ETH
Rank: 4/65
Findings: 3
Award: $2,950.73
π Selected for report: 1
π Solo Findings: 0
π Selected for report: jonah1005
Also found by: Picodes, WatchPug, berndartmueller, sorrynotsorry
1225.2497 USDC - $1,225.25
When withdrawing collateral, user may occur a loss because of the swapping of the staked asset back to the asset. There is a build-in slippage protection here but the user has no control over it. This could easily lead to loss of user funds if they are not aware of this functionality or would have like to use a lower slippage.
We've recently witness some panic movements of stETH and its depeg on Curve, which would have certainly lead to losses for Sturdy users if the vault was live without slippage protection.
Pass the slippage as a parameter or add an other function to do so.
#0 - sforman2000
2022-05-18T02:28:13Z
Duplicate of https://github.com/code-423n4/2022-05-sturdy-findings/issues/133 (high risk)
1680.7266 USDC - $1,680.73
https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/YieldManager.sol#L48 https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/YieldManager.sol#L184
In YieldManager, UNISWAP_FEE is hardcoded, which reduce significantly the possibilities and will lead to non optimal routes. In particular, all swaps using ETH path will use the wrong pool as it will use the ETH / USDC 1% one due to this line.β¨
For example for CRV / USDC, the optimal route is currently CRV -> ETH and ETH -> USDC, and the pool ETH / USDC with 1% fees is tiny compared to the ones with 0.3 or 0.1%. Therefore using the current implementation would create a significant loss of revenue.
Basic mitigation would be to hardcode in advance the best Uniswap paths in a mapping like itβs done for Curve pools, then pass this path already computed to the swapping library. This would allow for complex route and save gas costs as you would avoid computing them in swapExactTokensForTokens.
Then, speaking from experience, as distributeYield is onlyAdmin, you may want to add the possibility to do the swaps through an efficient aggregator like 1Inch or Paraswap, it will be way more optimal.
#0 - HickupHH3
2022-06-03T07:54:01Z
Made #100 the primary issue instead.
π Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xf15ers, 0xkatana, 0xliumin, AlleyCat, BouSalman, Dravee, Funen, GimelSec, Hawkeye, MaratCerby, Picodes, StErMi, TerrierLover, WatchPug, Waze, berndartmueller, bobirichman, cryptphi, csanuragjain, defsec, delfin454000, dipp, fatherOfBlocks, hake, hickuphh3, hyh, joestakey, kebabsec, mics, mtz, oyc_109, p4st13r4, p_crypt0, robee, rotcivegaf, sikorico, simon135, sorrynotsorry, tintin
44.7498 USDC - $44.75
LidoVault.In LidoVault, the slippage when swapping stETH to ETH is 2% whereas in GenericVault it is 1%. This should be unified.
Code: https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/LidoVault.sol#L130 https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/GeneralVault.sol#L125
Incorrect Comment: https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/GeneralVault.sol#L77
#0 - HickupHH3
2022-06-06T03:20:05Z
NC: NC-01 Invalid: syncing slippage. No justification on why it should be synced. Note: not marked as high-severity duplicate of #133 because attack path wasn't mentioned at all.