Platform: Code4rena
Start Date: 26/05/2022
Pot Size: $75,000 USDT
Total HM: 31
Participants: 71
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 18
Id: 126
League: ETH
Rank: 4/71
Findings: 4
Award: $6,347.81
🌟 Selected for report: 3
🚀 Solo Findings: 3
🌟 Selected for report: Picodes
2082.6377 USDT - $2,082.64
https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VoterProxy.sol
For some veAsset project (for example Angle’s gauges, gauge contracts are upgradable, so interfaces and underlying LP tokens are subject to change, blocking and freezing the system. Note that this is not hypothetic as it happened a few weeks ago: see this snapshot vote. Therefore, the system should be robust to a change in the pair gauge / token.
Note that is doable in the current setup for the veToken team to rescue the funds in such case, hence it is only a medium issue.
You’d have to do as follow: a painful shutdown of the Booster (which would lead to an horrible situation where you’d have to preserve backwards compatibility for LPs to save their funds in the new Booster), an operator change in VoterProxy to be able to call execute.
To deal with upgradeable contracts, either the VoterProxy needs to be upgradable to deal with any situation that may arise, either you need to add upgradeable “intermediate” contracts between the staker and the gauge that could be changed to preserve the logic.
#0 - jetbrain10
2022-06-15T15:53:53Z
same as answer #49 for angle Voter Proxy, will make it upgrade able and make all future VoterProxy can be upgrade able as well if veAsset project agrees.
#1 - GalloDaSballo
2022-07-26T01:50:02Z
The warden has shown how, due to integrating with underlying upgradeable contracts, the Sponsors Contracts could get bricked or forced into a shutdown.
I believe the finding to be equivalent to showing how the system could end up being attached to a bad gauge, and the warden has shown historical proof that this has happened and could happen again.
For those reasons, as well as the Sponsor Confirming, I believe the finding to be valid and of Medium Severity
🌟 Selected for report: Picodes
2082.6377 USDT - $2,082.64
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VoterProxy.sol#L270 https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VoterProxy.sol#L140
When calling withdrawAll, to compute the amount to withdraw, the contract checks the balance of gauge tokens and assume that 1 gauge token = 1 LP token by doing uint256 amount = balanceOfPool(_gauge).add(IERC20(_token).balanceOf(address(this)));. Overall this assumption may not hold and this would lead to a loss of funds when calling withdrawAll.
Indeed this is false in some cases, check for example https://etherscan.io/address/0x3785Ce82be62a342052b9E5431e9D3a839cfB581 where the total supply is not the same as the balance of LP tokens held by the contract. You can also check the contract code where you can see there is a staking_factor between the balance and the underlying LP token balance.
Use the total supply of pool.token which is a better proxy to know how much to withdraw when withdrawing all.
#0 - jetbrain10
2022-06-15T15:54:42Z
are you refering we need to calc the staking _factor by ourself?
#1 - GalloDaSballo
2022-07-25T00:59:13Z
@jetbrain10 the warden says that some Deposits will not return the same amount of Lp Tokens.
See this example from the contract linked by the Warden: https://etherscan.io/tx/0xd3eab573697d4fb92ebe4d91d35b03795d384ac45f7a723b321c98f6da2420cb
#2 - GalloDaSballo
2022-07-25T01:00:30Z
I think this means the contracts may break when integrating with Angle Protocol.
AfaI'm aware CRV, Balancer will return a 1-1 between the Deposit Token and the Gauge Token
#3 - GalloDaSballo
2022-07-26T01:52:42Z
The warden has shown evidence of the GaugeLP-Token being "rebased" from the "usual" 1-1 to a ratio (assuming due to cost / increasing in value in underlying).
Because:
Considering that this is contingent on the sponsor launching an integration with the Angle Protocol, using Gauges that "rebase", I believe the finding to be Valid and of Medium Severity
Most likely remediation will require poking the gauge for exchange rates and also checking available tokens after withdrawing
#4 - liveactionllama
2022-10-25T16:37:07Z
Per discussion with @jetbrain10 (sponsor), adding sponsor acknowledged label to this issue.
🌟 Selected for report: Picodes
2082.6377 USDT - $2,082.64
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/migrations/25_deploy_angle_pools.js#L68 https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/migrations/25_deploy_angle_pools.js#L80
The address of G-Uni tokens in the deployment scripts are not up to date.
For example for agEUR/USDC it is 0xedecb43233549c51cc3268b5de840239787ad56c and not 0x2bD9F7974Bc0E4Cb19B8813F8Be6034F3E772add
For safety why not fetching directly the LP token from the staking contract ?

#0 - GalloDaSballo
2022-07-05T21:29:12Z
Duplicate submission
#1 - Picodes
2022-07-30T09:57:31Z
@GalloDaSballo I don't think this is a duplicate ?
#2 - GalloDaSballo
2022-07-30T16:17:19Z
@Picodes You are correct, I must have closed by mistake (perhaps double tab), also we should no longer close dups as the script handles it for judges.
Will re-judge
#3 - GalloDaSballo
2022-07-30T19:10:27Z
The warden has shown how a configuration file shows that the settings for the project are using an old address.
While the finding pertains to a setup script (generally out of scope), given that:
With the information I have, I believe the finding to be of Medium Severity and believe the sponsor will mitigate by updating to the Warden suggested addresses
#4 - Picodes
2022-08-01T11:24:40Z
@GalloDaSballo thank you ! Is it needed to reopen the issue ?
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xf15ers, BouSalman, Chom, Deivitto, Dravee, ElKu, FSchmoede, Funen, GimelSec, Hawkeye, MiloTruck, Picodes, SecureZeroX, SmartSek, TerrierLover, WatchPug, _Adam, asutorufos, berndartmueller, c3phas, catchup, cccz, cogitoergosumsw, cryptphi, csanuragjain, delfin454000, dipp, ellahi, gzeon, hansfriese, horsefacts, hyh, kirk-baird, minhquanym, oyc_109, pauliax, reassor, robee, sashik_eth, shenwilly, simon135, sorrynotsorry, sseefried, unforgiven, xiaoming90, z3s
99.8938 USDT - $99.89
Here, it should be platform fees
Most functions aren’t commented and comments do not follow the official specs, which could make sense as variable names are explicit, but recall that for non experienced dev, more and more explorers (see https://twitter.com/etherscan/status/1472191164807712768 ) are now supporting NatSpec so it’s worth adding explicit comments.
Reference: https://docs.soliditylang.org/en/v0.8.14/natspec-format.html
setOperator cannot be calledIn Ve3Token, there is a function to update the minter role, but this function cannot be called by VeAssetDepositor. This is to me a low severity issue as it may be intended that once linked to a Depositor the minter role cannot be updated anymore.
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/token/VeToken.sol#L18 https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/token/VE3Token.sol#L21
#0 - GalloDaSballo
2022-07-08T00:39:05Z
NC
Valid NC
I believe it's done on purpose to allow setup but deny rugging
2NC as always would like to see more