Platform: Code4rena
Start Date: 14/09/2022
Pot Size: $50,000 USDC
Total HM: 25
Participants: 110
Period: 5 days
Judge: hickuphh3
Total Solo HM: 9
Id: 162
League: ETH
Rank: 27/110
Findings: 3
Award: $247.73
🌟 Selected for report: 0
🚀 Solo Findings: 0
125.2594 USDC - $125.26
Judge has assessed an item in Issue #149 as High risk. The relevant finding follows:
#0 - HickupHH3
2022-11-05T15:01:59Z
epochHasEnded modifier not working as intended If someone would call withdraw after epoch expires but before triggerEndEpoch call, modifier epochHasEnded would not work as intended and would not revert. Withdraw would revert on beforeWithdraw when it would try to divide by idFinalTVL which is 0. Since it used only in withdraw, there is no risk. Solution: add idFinalTVL check in epochHasEnded modifier https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L96
dup #312, but only functional vuln was mentioned: div by zero in beforeWithdraw.
🌟 Selected for report: hyh
Also found by: 0x4non, 0xNazgul, Haruxe, KIntern_NA, PwnPatrol, Respx, Tointer, joestakey, pauliax, peritoflores, rotcivegaf, scaraven
85.8509 USDC - $85.85
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L215-L218 https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/SemiFungibleVault.sol#L116-L119
Any third-party integration for vault tokens create attack vector that would result in user funds lost
Anyone could call withdraw function and withdraw funds to smart contract address. They would be lost, since smart contract cannot possible have functionality to process this withdraw
User could easily call setApprovalForAll for some contract if they see that it's code is not malicious. They would not be expecting that invoking this function is equal to whitelisting address to withdrawal that could be called by anyone, like we not expecting that someone could send our tokens to Uniswap pool contract after we use it.
receiver should always be msg.sender. Good example is how OpenZeppelin do it: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/7a14f6c5953a1f2228280e6eb1dfee8e5c28d79a/contracts/token/ERC1155/ERC1155.sol#L125
#0 - MiguelBits
2022-10-03T20:11:41Z
#1 - HickupHH3
2022-10-17T03:31:29Z
Full credit given because:
🌟 Selected for report: Respx
Also found by: 0x1f8b, 0xDecorativePineapple, 0xNazgul, 0xPanas, 0xSmartContract, 0xc0ffEE, 0xmuxyz, Aymen0909, Bahurum, Bnke0x0, CodingNameKiki, Deivitto, Jeiwan, Lambda, Picodes, PwnPatrol, R2, RaymondFam, Rolezn, Ruhum, Saintcode_, SooYa, Tointer, V_B, ajtra, ak1, async, auditor0517, brgltd, c3phas, carrotsmuggler, cccz, csanuragjain, datapunk, djxploit, durianSausage, eierina, erictee, gogo, imare, joestakey, jonatascm, kv, ladboy233, leosathya, lukris02, oyc_109, pashov, pauliax, rbserver, robee, rokinot, rvierdiiev, scaraven, simon135, unforgiven, wagmi, zzzitron
36.6223 USDC - $36.62
getNextEpoch could become unusablehttps://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L438-L452 In the long run, this function could become unusable, as it would consume too much gas. This could be fixed with binary search algorithm
epochHasEnded modifier not working as intendedIf someone would call withdraw after epoch expires but before triggerEndEpoch call, modifier epochHasEnded would not work as intended and would not revert. Withdraw would revert on beforeWithdraw when it would try to divide by idFinalTVL which is 0. Since it used only in withdraw, there is no risk.
Solution: add idFinalTVL check in epochHasEnded modifier
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L96
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Controller.sol#L168 this line can be removed, right after it tokens transfered other way
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L244-L252 Here, totalAssets always return number of shares, instead of underlying asset. This renders this functions https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/SemiFungibleVault.sol#L143-L228 useless, as shares would always be equal to assets. eip-4626 deposit and withdraw functions are not used either, since they get overriden in Vault.sol contract. Solution: remove ERC4626 vault functionality alltogether to greatly simplify codebase.
#0 - HickupHH3
2022-11-05T15:05:39Z
eip-4626-like functionality is broken https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L244-L252 Here, totalAssets always return number of shares, instead of underlying asset. This renders this functions https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/SemiFungibleVault.sol#L143-L228 useless, as shares would always be equal to assets. eip-4626 deposit and withdraw functions are not used either, since they get overriden in Vault.sol contract. Solution: remove ERC4626 vault functionality alltogether to greatly simplify codebase.
Issue was close to being upgraded, but is dup of #471 for the first part, and the second part isn't about non compliance to the standard, but about functions being redundant.