Platform: Code4rena
Start Date: 20/01/2022
Pot Size: $80,000 USDC
Total HM: 5
Participants: 37
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 1
Id: 76
League: ETH
Rank: 12/37
Findings: 1
Award: $1,753.14
π Selected for report: 0
π Solo Findings: 0
π Selected for report: pauliax
Also found by: cccz, sirhashalot
657.4283 USDC - $657.43
cccz
In the deposit function, when want.allowance(address(this), address(lp)) < amount, the contract should call want.safeApprove(address(lp), 0);
Manual analysis
function deposit() external override whenNotPaused { ILendingPool lp = getLp(); // Checking the USDC balance of this contract uint256 amount = want.balanceOf(address(this)); if (amount == 0) revert InvalidConditions(); // If allowance for this contract is too low, approve the max allowance if (want.allowance(address(this), address(lp)) < amount) { + want.safeApprove(address(lp), 0); want.safeApprove(address(lp), type(uint256).max); } // Deposits the full balance of USDC held in this contract into Aave's lending pool lp.deposit(address(want), amount, address(this), 0); }
#0 - Evert0x
2022-02-09T17:11:22Z
1095.7138 USDC - $1,095.71
cccz
Same as https://github.com/code-423n4/2021-11-overlay-findings/issues/79
The SherBuy contract assumes that _sher is sher and _usdc is usdc, the SherClaim contract assumes that _sher is sher, the Sherlock contract assumes that _sher is sher and _token is usdc, but does not check it in the constructor. If the input address does not meet the assumptions, which could lead to wrong market liquidity and prices calculations.
https://github.com/code-423n4/2022-01-sherlock/blob/main/contracts/SherBuy.sol#L68-L101
https://github.com/code-423n4/2022-01-sherlock/blob/main/contracts/SherClaim.sol#L39-L47
https://github.com/code-423n4/2022-01-sherlock/blob/main/contracts/Sherlock.sol#L77-L118
Manual analysis
Check if the input address matches the assumption
#0 - jack-the-pug
2022-03-28T04:40:03Z
Dup #222