Back to Tricko's contests

Paladin - Warden Pledges contest - Tricko's results

A governance lending protocol transforming users voting power into a new money lego.

General Information

Platform: Code4rena

Start Date: 27/10/2022

Pot Size: $33,500 USDC

Total HM: 8

Participants: 96

Period: 3 days

Judge: kirk-baird

Total Solo HM: 1

Id: 176

League: ETH

Paladin

Findings Distribution

Researcher Performance

Rank: 73/96

Findings: 1

Award: $19.64

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPaladin

Findings Information

🌟 Selected for report: robee

Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas

Awards

19.6449 USDC - $19.64

Labels

bug
QA (Quality Assurance)
grade-b
Q-49

External Links

Link to GitHub issue

Missing check for votesDifference

There is no check for votesDifference in https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L325. If receiver balance of veCRV equals targetVotes this would create a Pledge with zero totalRewardAmount, making this pledge useless as no rational user will pledge without receiving rewards.

    vars.votesDifference = targetVotes - votingEscrow.balanceOf(receiver);

    vars.totalRewardAmount = (rewardPerVote * vars.votesDifference * vars.duration) / UNIT;

Please consider checking vars.votesDifference > 0 and reverting with the appropriate error.

totalDelegatedAmount and rewardAmount calculated incorrectly

The following expression for calculating totalDelegatedAmounts has an extra bias term (https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L259-L265), opposed to what is defined in boostV2 contract (https://github.com/curvefi/curve-veBoost/blobdb3dec43b6e4fac0fca1f01509f9133563f43ebb/contracts/BoostV2.vy#L191-L206). Therefore the totalDelegatedAmounts overstates the actual amount pledged per sec, consequently also overstating rewardAmount.

    uint256 totalDelegatedAmount = ((bias * boostDuration) + bias) / 2;

Please consider removing the extra bias term, as shown below.

    uint256 totalDelegatedAmount = (bias * boostDuration) / 2;

#0 - c4-judge

2022-11-12T00:52:40Z

kirk-baird marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter