Platform: Code4rena
Start Date: 27/10/2022
Pot Size: $33,500 USDC
Total HM: 8
Participants: 96
Period: 3 days
Judge: kirk-baird
Total Solo HM: 1
Id: 176
League: ETH
Rank: 9/96
Findings: 4
Award: $795.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: ladboy233
Also found by: 0x52, 0xDecorativePineapple, 0xhunter, Aymen0909, Bnke0x0, Dravee, JTJabba, Jeiwan, Lambda, Nyx, Picodes, Trust, cccz, cryptonue, csanuragjain, dic0de, hansfriese, horsefacts, imare, minhtrng, pashov, peritoflores, rbserver, rvierdiiev, wagmi, yixxas
9.9073 USDC - $9.91
In recoverERC20, the code is designed to make it looks like the owner cannot withdraw pledge rewards from the contract, although it is doable.
To bypass the requirement minAmountRewardToken[token] == 0 the owner can just call removeRewardToken and then call recoverERC20.
Out of clarity for users, either:
#0 - Kogaroshi
2022-10-30T23:50:50Z
Duplicate of #17
#1 - c4-judge
2022-11-10T07:12:01Z
kirk-baird marked the issue as not a duplicate
#2 - c4-judge
2022-11-10T07:12:25Z
kirk-baird marked the issue as duplicate
#3 - c4-judge
2022-11-10T21:22:12Z
kirk-baird marked the issue as satisfactory
#4 - c4-judge
2022-11-10T21:22:16Z
kirk-baird marked the issue as not a duplicate
#5 - c4-judge
2022-11-10T21:22:23Z
kirk-baird marked the issue as duplicate of #17
#6 - c4-judge
2022-12-06T17:32:42Z
Simon-Busch marked the issue as duplicate of #68
754.535 USDC - $754.53
https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L387 https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L432
votingEscrow.balance decreases over time, so votesDifference is not accurate anymore when a pledge is extended or increased. This does not lead to criticial errors but may prevent a pledge to reach its targetVotes.
Pedge.votesDifference is initialized with:
vars.votesDifference = targetVotes - votingEscrow.balanceOf(receiver);
But the votingEscrow.balance decreases over time, so the votesDifference is not accurate when extendPledge or increasePledgeRewardPerVote is called, leading to fewer tokens than necessary to reach targetVotes being transfered;
Do not store votesDifference but fetch it again in extendPledge and increasePledgeRewardPerVote;
#0 - Kogaroshi
2022-10-30T23:52:49Z
Duplicate of #91
#1 - c4-judge
2022-11-10T22:50:26Z
kirk-baird marked the issue as satisfactory
#2 - c4-judge
2022-11-10T22:50:30Z
kirk-baird marked the issue as not a duplicate
#3 - c4-judge
2022-11-10T22:50:46Z
kirk-baird marked the issue as duplicate of #91
#4 - kirk-baird
2022-11-10T22:52:46Z
This bug references voting decay in relation to extendPledge() and increasePledgeRewardPerVote() but also how target votes may not be reached in the usual case.
🌟 Selected for report: robee
Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas
19.6449 USDC - $19.64
https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L28 struct Pledge{ -> struct Pledge {
(in BPS) and // bps are the same info. No need to write it twice.
All comments related to events are incorrect (Event emitted when xx)
Example here
minmum -> minimum
tof -> of
ot -> to
Maximum taget of votes to have (own balacne + delegation) for the receiver -> Maximum target of votes to have (own balance + delegation) for the receiver
#0 - c4-judge
2022-11-12T00:22:55Z
kirk-baird marked the issue as grade-b
🌟 Selected for report: c3phas
Also found by: 0x1f8b, 0xNazgul, 0xRoxas, 0xSmartContract, 0xbepresent, Amithuddar, Awesome, B2, Bnke0x0, Dravee, KoKo, Mathieu, Picodes, RaymondFam, RedOneN, ReyAdmirado, RockingMiles, Ruhum, SadBase, SooYa, Waze, __141345__, adriro, ajtra, ballx, carlitox477, ch0bu, cylzxje, djxploit, durianSausage, emrekocak, erictee, gogo, halden, horsefacts, imare, indijanc, karanctf, leosathya, lukris02, neko_nyaa, oyc_109, peiw, sakman, shark, skyle, tnevler
11.5153 USDC - $11.52
Pledge variables could be batchedIn Pledge, targetVotes and rewardPerVote could safely be stored in uint128 to batch them and save a SLOAD in _pledge, extendPledge and increasePledgeRewardPerVote. Considering 18 decimals token there is no risk of overflow.
pledgeParams in memoryIn _pledge, pledgeParams is loaded in memory but votesDifference is not used, hence is loaded for nothing and a SLOAD could be saved.
#0 - c4-judge
2022-11-12T00:22:28Z
kirk-baird marked the issue as grade-b