Platform: Code4rena
Start Date: 21/04/2022
Pot Size: $100,000 USDC
Total HM: 18
Participants: 60
Period: 7 days
Judge: gzeon
Total Solo HM: 10
Id: 112
League: ETH
Rank: 16/60
Findings: 2
Award: $907.72
🌟 Selected for report: 0
🚀 Solo Findings: 0
Originally submitted by warden StyxRave in https://github.com/code-423n4/2022-04-backd-findings/issues/153, duplicate of https://github.com/code-423n4/2022-04-backd-findings/issues/49.
#0 - JeeberC4
2022-05-13T19:53:50Z
Manually created required json file
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x52, 0xDjango, 0xkatana, Dravee, Funen, Kenshin, Ruhum, StyxRave, Tadashi, TerrierLover, TrungOre, antonttc, berndartmueller, catchup, csanuragjain, defsec, dipp, fatherOfBlocks, hake, horsefacts, hubble, jayjonah8, joestakey, kebabsec, kenta, m4rio_eth, oyc_109, pauliax, peritoflores, rayn, remora, robee, securerodd, simon135, sorrynotsorry, sseefried, z3s
204.213 USDC - $204.21
Hey, just some comments on things I understand as best practices / potential future proofing when extending this codebase. Didn't really have the time to go deep this round.
Controller.sol setInflationManager, addStakerVault and removePool should probably emit events indicating the changes made, as they are sensitive actions governance can make.
CvxCrvRewardsLocker.sol setTreasury does not check for zero address - uninitialized parameters by human error would end up with burned tokens if followed by any withdraw to treasury.
GasBank.sol withdrawUnused and withdrawFrom allow any action to withdraw from any account. Currently not a problem because only the TopUpAction exists, but there should probably be some kind of mapping between actions and the accounts they can affect / manage.
RoleManager.sol
External functions are protected by the onlyGovernance modifier and call internal _grantRole / _revokeRole. removeGaugeZap should probably follow the same convention (currently not modifier protected, but instead calls public revokeRole, which is)
TopUpAction.sol
TopUpActionLibrary's lockFunds doesn't use the addressProvider pattern existing in the codebase. Nothing ensures that stakerVaultAddress corresponds to token. Not currently dangerous because only TopUpAction::_lockFunds calls this function, appropiately getting the vault address from the addressProvider, but should probably future proof by doing it inside as the other functions in the library.
BkdTriHopCvx.sol decimalMultiplier assumes tokens have <= 18 decimals. Will always be 0 for tokens with more than 18 (which would be still ERC20 compliant).
StrategySwapper.sol _decimalMultiplier assumes tokens have <= 18 decimals. Will always be 0 for tokens with more than 18 (which would be still ERC20 compliant).
InflationManager.sol setMinter does not emit an event whilst changing the allowed minter address (a sensitive, governance protected action).
Cheers!
#0 - chase-manning
2022-04-28T10:16:07Z
I consider this report to be of particularly high quality