Back to cccz's contests

Badger-Vested-Aura contest - cccz's results

Bringing BTC to DeFi

General Information

Platform: Code4rena

Start Date: 15/06/2022

Pot Size: $30,000 USDC

Total HM: 5

Participants: 55

Period: 3 days

Judge: Jack the Pug

Id: 138

League: ETH

BadgerDAO

Findings Distribution

Researcher Performance

Rank: 13/55

Findings: 2

Award: $286.30

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBadgerDAO

Findings Information

🌟 Selected for report: Picodes

Also found by: 0x1f8b, 0x52, Chom, GimelSec, IllIllI, berndartmueller, cccz, defsec, georgypetrov, hyh, kenzo, minhquanym, oyc_109, scaraven, unforgiven

Awards

50.7077 USDC - $50.71

Labels

bug
duplicate
2 (Med Risk)
valid

External Links

Link to GitHub issue

Lines of code

https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L249

Vulnerability details

Impact

There is no slippage control on _harvest, which expose strategy to sandwich attack.

            uint256 balEthBptEarned = BALANCER_VAULT.swap(singleSwap, fundManagement, 0, type(uint256).max);
...
            harvested[0].amount = BALANCER_VAULT.swap(singleSwap, fundManagement, 0, type(uint256).max);
...
    function swap(
        SingleSwap memory singleSwap,
        FundManagement memory funds,
        uint256 limit,
        uint256 deadline
    ){
    ...
            _require(singleSwap.kind == SwapKind.GIVEN_IN ? amountOut >= limit : amountIn <= limit, Errors.SWAP_LIMIT);

Proof of Concept

https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L249 https://github.com/Badger-Finance/vested-aura/blob/main/contracts/MyStrategy.sol#L275

Tools Used

None

Use an oracle to get the limit

#0 - GalloDaSballo

2022-06-17T14:54:20Z

Dup of #5

Findings Information

🌟 Selected for report: scaraven

Also found by: GimelSec, berndartmueller, cccz, dipp, kenzo, kirk-baird, unforgiven

Labels

bug
duplicate
2 (Med Risk)
sponsor confirmed
valid

Awards

235.5937 USDC - $235.59

External Links

Link to GitHub issue

Lines of code

https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L428-L431

Vulnerability details

Impact

The _sendBadgerToTree function will call the _processExtraToken function after sending the BADGER token to the BADGER_TREE, and the _processExtraToken function will send the BADGER token to the vault again.

     function _processExtraToken(address _token, uint256 _amount) internal {
         require(_token != want, "Not want, use _reportToVault");
         require(_token != address(0), "Address 0");
         require(_amount != 0, "Amount 0");

         IERC20Upgradeable(_token).safeTransfer(vault, _amount);
         IVault(vault).reportAdditionalToken(_token);
     }

In the sweepRewardToken function, the execution fails because the amount of BADGER tokens sent is the contract balance. In the claimBribesFromHiddenHand function, BADGER tokens are sent twice.

Proof of Concept

https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L428-L431

Tools Used

None

    function _sendBadgerToTree(uint256 amount) internal {
        IERC20Upgradeable(BADGER).safeTransfer(BADGER_TREE, amount);
-       _processExtraToken(address(BADGER), amount);
    }

#0 - GalloDaSballo

2022-06-17T14:49:42Z

Agree with the developer oversight

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter