Platform: Code4rena
Start Date: 18/05/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 72
Period: 4 days
Judge: LSDan
Id: 237
League: ETH
Rank: 9/72
Findings: 1
Award: $630.46
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xRobocop, 0xnacho, HHK, SpicyMeatball, max10afternoon, rbserver
630.4612 USDC - $630.46
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L166 https://github.com/jbx-protocol/juice-contracts-v3/blob/main/contracts/JBSingleTokenPaymentTerminalStore3_1.sol#L415 https://github.com/jbx-protocol/juice-contracts-v3/blob/main/contracts/abstract/JBPayoutRedemptionPaymentTerminal3_1.sol#L1493
If user specifies minReturnedTokens in the pay function of the terminal and BuybackDelegate will take the swap path, transaction will be reverted due to the failed condition if (beneficiaryTokenCount < _minReturnedTokens) revert INADEQUATE_TOKEN_COUNT(); in the terminal.
In the BuybackDelegate contract if swapping is a preferred method of the acquiring JBX tokens we return with a weight = 0
In the payment terminal store we also return early with a tokenCount = 0
And finally in the payment terminal we compare beneficiaryTokenCount < _minReturnedTokens where beneficiaryTokenCount is a variable which is set if tokenCount > 0, in our case tokenCount = 0 therefore beneficiaryTokenCount will also be 0. This will result in failed transaction everytime minReturnedTokens > 0.
Manual review
Perhaps we can add another condition to the check
if (beneficiaryTokenCount < _minReturnedTokens) && _delegateAllocations.length == 0 revert INADEQUATE_TOKEN_COUNT();
This will revert only if mint path was chosen and we don't use the BuybackDelegate. However there is a possibility that this solution will conflict with data sources other than BuybackDelegate.
DoS
#0 - c4-pre-sort
2023-05-25T12:46:31Z
dmvt marked the issue as duplicate of #36
#1 - c4-judge
2023-06-02T14:23:36Z
dmvt marked the issue as satisfactory