Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $50,000 USDC
Total HM: 31
Participants: 99
Period: 5 days
Judges: moose-code, JasoonS, denhampreen
Total Solo HM: 17
Id: 139
League: ETH
Rank: 30/99
Findings: 4
Award: $311.15
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: unforgiven
Also found by: IllIllI, TrungOre, asutorufos, hake, robee
wrong yieldy token to mint
There are ERC20 tokens that may make certain customizations to their ERC20 contracts.
One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom()
Manual review
get the difference between before and after transfer token
#0 - toshiSat
2022-06-27T21:41:56Z
duplicate #222
🌟 Selected for report: BowTiedWardens
Also found by: PwnedNoMore, TrungOre, hansfriese, hubble, minhquanym, shung
wrong information in rebases[] array
rebase() function should pass the totalStakedBefore (the totalSupply before adding the _profit) to function _storeRebase(), but as in the code rebase() pass the updatedTotalSupply
Manual review
Modify function rebase() to
function rebase(uint256 _profit, uint256 _epoch) external onlyRole(REBASE_ROLE) { uint256 currentTotalSupply = _totalSupply; require(_totalSupply > 0, "Can't rebase if not circulating"); if (_profit == 0) { emit LogSupply(_epoch, block.timestamp, currentTotalSupply); emit LogRebase(_epoch, 0, getIndex()); } else { uint256 updatedTotalSupply = currentTotalSupply + _profit; if (updatedTotalSupply > MAX_SUPPLY) { updatedTotalSupply = MAX_SUPPLY; } rebasingCreditsPerToken = rebasingCredits / updatedTotalSupply; require(rebasingCreditsPerToken > 0, "Invalid change in supply"); uint oldTotalSupply = _totalSupply; _totalSupply = updatedTotalSupply; _storeRebase(oldTotalSupply, _profit, _epoch); } }
#0 - toshiSat
2022-06-27T21:39:42Z
duplicate #221
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, FudgyDRS, Funen, GalloDaSballo, GimelSec, JC, Kaiziron, Lambda, Limbooo, Metatron, MiloTruck, Noah3o6, Picodes, PumpkingWok, PwnedNoMore, Sm4rty, StErMi, TomJ, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ak1, antonttc, berndartmueller, cccz, cryptphi, csanuragjain, defsec, delfin454000, dipp, elprofesor, exd0tpy, fatherOfBlocks, hake, hansfriese, hubble, joestakey, kenta, ladboy233, mics, oyc_109, pashov, pedr02b2, reassor, robee, samruna, scaraven, shung, sikorico, simon135, sseefried, tchkvsky, unforgiven, zzzitron
53.1412 USDC - $53.14
tags: c4, 2022-06-yieldy, QA
amount > 0 in mint function🌟 Selected for report: BowTiedWardens
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xmint, 8olidity, ACai, Bnke0x0, Chom, ElKu, Fabble, Fitraldys, FudgyDRS, Funen, GalloDaSballo, GimelSec, IllIllI, JC, Kaiziron, Lambda, Limbooo, MiloTruck, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RedOneN, Sm4rty, StErMi, TomJ, Tomio, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ajtra, antonttc, asutorufos, bardamu, c3phas, defsec, delfin454000, exd0tpy, fatherOfBlocks, hansfriese, ignacio, joestakey, kenta, ladboy233, m_Rassska, mics, minhquanym, oyc_109, pashov, reassor, robee, s3cunda, sach1r0, saian, sashik_eth, scaraven, sikorico, simon135, slywaters
26.5713 USDC - $26.57
tags: c4, 2022-06-yieldy, Gas
OZ version 0.8 will revert transaction if it's overflow/underflow, so we won't need require check here
CURVE_POOL variable into stack instead of call storage 3 times_isClaimAvailable(_recipient) because check is already in claim() function