Platform: Code4rena
Start Date: 27/10/2022
Pot Size: $33,500 USDC
Total HM: 8
Participants: 96
Period: 3 days
Judge: kirk-baird
Total Solo HM: 1
Id: 176
League: ETH
Rank: 68/96
Findings: 1
Award: $19.64
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: robee
Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas
19.6449 USDC - $19.64
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L475 https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L508 https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L271
Some features won't work with fee-on-transfer tokens. In particular, the following functions will revert because the transfers will exceed the actual balance of the protocol: retrievePledgeRewards, closePledge. Moreover, the rewards issued by pledge function will be less than expected because the receiver pays the token fees. In other cases, the pledge function may revert because the protocol's balance is too low.
The issue is classified as high risk because pledgers can lose tokens. Moreover, some features can become unavailable.
It is possible to recover from the DoS state by donating reward tokens to the WardenPledge system. Notice that the receivers of transfers initiated by the protocol still pay the token transfers.
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L475 https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L508 https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L271
#0 - Kogaroshi
2022-10-30T21:49:16Z
The issue with this type of tokens (and with rebasing tokens) are known, and are the reason why the Pledge contract only accepts tokens that are added to a whitelist (with addRewardToken) as valid tokens to be used for rewards, to prevent any issue when transferring reward tokens.
The process to grant the whitelisted status to a token will have to be trusted to the Core team in the beginning, and later on by the Paladin Governance, to make the necessary verifications for each token before adding it the the list.
#1 - Kogaroshi
2022-10-30T22:46:43Z
duplicate of #27
#2 - c4-judge
2022-11-10T07:22:23Z
kirk-baird marked the issue as not a duplicate
#3 - c4-judge
2022-11-10T07:22:39Z
kirk-baird marked the issue as duplicate
#4 - c4-judge
2022-11-10T07:22:45Z
kirk-baird changed the severity to 2 (Med Risk)
#5 - c4-judge
2022-11-10T07:30:05Z
kirk-baird changed the severity to QA (Quality Assurance)
#6 - c4-judge
2022-12-05T22:09:37Z
kirk-baird marked the issue as grade-b