Platform: Code4rena
Start Date: 14/09/2022
Pot Size: $50,000 USDC
Total HM: 25
Participants: 110
Period: 5 days
Judge: hickuphh3
Total Solo HM: 9
Id: 162
League: ETH
Rank: 21/110
Findings: 5
Award: $544.98
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: carrotsmuggler
Also found by: 0x52, 0xDecorativePineapple, 0xPanas, Bahurum, Jeiwan, Lambda, PwnPatrol, R2, Respx, auditor0517, durianSausage, hyh, ladboy233, pauliax, scaraven, teawaterwire, zzzitron
36.6124 USDC - $36.61
Errors in price calculation can lead to false positive unpegging.
nowPrice:if (price1 > price2) { nowPrice = (price2 * 10000) / price1; } else { nowPrice = (price1 * 10000) / price2; }
So the nowPrice will be less then 1e4
nowPrice / 1000000
But if priceFeed1.decimals() == 18, nowPrice / 1000000 == 0
So then anyone can trigger unpeg, even if it's not true
Controller.getLatestPrice() you are multiplying price to 10**(18-(priceFeed.decimals())) again
It can lead to error too
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Controller.sol#L299vs code
Use base points instead of strikePrice, e.g. strikeDifferenceBsp = 200 - 2% difference between prices -> unpeg
And fix point 1, 2 and 3 above
It can help you to prevent math errors
#0 - HickupHH3
2022-10-17T10:44:16Z
dup of #195
🌟 Selected for report: csanuragjain
Also found by: Lambda, R2, bin2chen, datapunk, rbserver, unforgiven
300.0094 USDC - $300.01
In Vault.withdraw() you have modifier epochHasEnded(). But it's just checking time, no check if Controller already called triggerDepeg() or triggerEndEpoch()
So anyone can frontrun Controller transactions and withdraw their funds before without losses. For example risker can frontrun trx and withdraw funds in case of triggerDepeg() without funds loss
entitledAmount = // @audit-ok high сначала делим - разве это не приведет к проблемам amount.divWadDown(idFinalTVL[id]).mulDivDown( idClaimTVL[id], 1 ether ) + amount;
So he will save his funds and get amount back
vs code
Add explicit var, tells that epoch already ended by Controller. And only after that allow users to withdraw funds
#0 - 3xHarry
2022-09-22T10:37:30Z
dup #421
#1 - HickupHH3
2022-10-18T06:37:02Z
dup #69
#2 - Ruslan2702
2022-11-16T03:05:50Z
Hi guys! No 'Confirmed' label here, is it ok? @HickupHH3
#3 - HickupHH3
2022-11-16T04:12:06Z
@Ruslan2702 yes it's ok, it's been marked as a dup.
🌟 Selected for report: Lambda
Also found by: Deivitto, R2, Rolezn, csanuragjain
155.5605 USDC - $155.56
You are sending tokens and then mint the same count of tokens But in case of tokens with fee (e.g. USDT) or deflationary tokens, that logic can lead to problems Because you will receive less tokens then sended
vs code
Check token balances diff to check how much tokens you received
#0 - HickupHH3
2022-10-31T14:19:21Z
partial credit because Vault uses WETH only. It however applies to SemiFungibleVault. dup #221
🌟 Selected for report: Respx
Also found by: 0x1f8b, 0xDecorativePineapple, 0xNazgul, 0xPanas, 0xSmartContract, 0xc0ffEE, 0xmuxyz, Aymen0909, Bahurum, Bnke0x0, CodingNameKiki, Deivitto, Jeiwan, Lambda, Picodes, PwnPatrol, R2, RaymondFam, Rolezn, Ruhum, Saintcode_, SooYa, Tointer, V_B, ajtra, ak1, async, auditor0517, brgltd, c3phas, carrotsmuggler, cccz, csanuragjain, datapunk, djxploit, durianSausage, eierina, erictee, gogo, imare, joestakey, jonatascm, kv, ladboy233, leosathya, lukris02, oyc_109, pashov, pauliax, rbserver, robee, rokinot, rvierdiiev, scaraven, simon135, unforgiven, wagmi, zzzitron
36.6223 USDC - $36.62
SemiFungibleVault._asset may be address(0)
Add required check🌟 Selected for report: pfapostol
Also found by: 0x040, 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, 0xc0ffEE, 0xkatana, Aymen0909, Bnke0x0, Deivitto, Diana, JAGADESH, KIntern_NA, Lambda, MiloTruck, R2, RaymondFam, Respx, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, Ruhum, Saintcode_, Samatak, Sm4rty, SnowMan, Tomio, Tomo, WilliamAmbrozic, _Adam, __141345__, ajtra, ak1, async, c3phas, ch0bu, cryptostellar5, d3e4, delfin454000, dharma09, djxploit, durianSausage, eierina, erictee, fatherOfBlocks, gianganhnguyen, gogo, ignacio, imare, jag, jonatascm, leosathya, lukris02, malinariy, oyc_109, pashov, pauliax, peanuts, peiw, prasantgupta52, robee, rokinot, rotcivegaf, rvierdiiev, seyni, simon135, slowmoses, sryysryy, tnevler, zishansami
16.1756 USDC - $16.18
entitledShares -= feeValue instead of entitledShares = entitledShares - feeValuePegOracle.decimals is unusedoracle1 and priceFeed1 in PegOracle. BecausepriceFeed1 = AggregatorV3Interface(_oracle1)