Platform: Code4rena
Start Date: 28/06/2022
Pot Size: $25,000 USDC
Total HM: 14
Participants: 50
Period: 4 days
Judge: GalloDaSballo
Total Solo HM: 7
Id: 141
League: ETH
Rank: 9/50
Findings: 3
Award: $1,190.06
🌟 Selected for report: 1
🚀 Solo Findings: 0
1074.0464 USDC - $1,074.05
In the sweepInterest function of the AccountantDelegate contract, the number of cnote sent to treasury should be cNoteToSweep instead of amtToSweep, as amtToSweep will normally be smaller than cNoteToSweep, which will cause the interest to be locked in the in the contract.
uint amtToSweep = sub_(cNoteAmt, noteDiff); // amount to sweep in Note, uint cNoteToSweep = div_(amtToSweep, exRate); // amount of cNote to sweep = amtToSweep(Note) / exRate cNoteToSweep = (cNoteToSweep > cNoteBal) ? cNoteBal : cNoteToSweep; bool success = cnote.transfer(treasury, amtToSweep); if (!success) { revert SweepError(treasury , amtToSweep); //handles if transfer of tokens is not successful } TreasuryInterface Treas = TreasuryInterface(treasury); Treas.redeem(address(cnote),amtToSweep);
None
uint amtToSweep = sub_(cNoteAmt, noteDiff); // amount to sweep in Note, uint cNoteToSweep = div_(amtToSweep, exRate); // amount of cNote to sweep = amtToSweep(Note) / exRate cNoteToSweep = (cNoteToSweep > cNoteBal) ? cNoteBal : cNoteToSweep; - bool success = cnote.transfer(treasury, amtToSweep); + bool success = cnote.transfer(treasury, cNoteToSweep); if (!success) { - revert SweepError(treasury , amtToSweep); //handles if transfer of tokens is not successful + revert SweepError(treasury , cNoteToSweep); //handles if transfer of tokens is not successful } TreasuryInterface Treas = TreasuryInterface(treasury); - Treas.redeem(address(cnote),amtToSweep); + Treas.redeem(address(cnote),cNoteToSweep);
#0 - GalloDaSballo
2022-08-16T17:24:18Z
The warden has shown that the wrong variable is being used as the transferAmount.
Because cNoteToSweep << amtToSweep there will be many instances in which the function will revert.
Because the finding shows incorrect functionality, which can leave the tokens stuck indefinitely, I agree with High Severity
70.4682 USDC - $70.47
The ensure modifier of the BaseV1Router01 contract removes the original code, which will cause the ensure modifier to fail to guarantee deadline >= block.timestamp.
modifier ensure(uint deadline) { //require(deadline >= block.timestamp, "BaseV1Router: EXPIRED"); _; }
None
modifier ensure(uint deadline) { require(deadline >= block.timestamp, "BaseV1Router: EXPIRED"); _; }
#0 - GalloDaSballo
2022-08-14T23:17:19Z
Dup of #90
🌟 Selected for report: zzzitron
Also found by: 0v3rf10w, 0x1f8b, 0x29A, AlleyCat, Bnke0x0, Chom, Funen, JC, Lambda, Limbooo, Meera, Picodes, Sm4rty, TerrierLover, TomJ, __141345__, asutorufos, aysha, c3phas, cccz, defsec, fatherOfBlocks, grGred, hake, ignacio, ladboy233, mrpathfindr, oyc_109, rfa, sach1r0, samruna, slywaters, ynnad
45.5417 USDC - $45.54
In WETH contract, withdraw function calls native payable.transfer. This is unsafe as transfer has hard coded gas budget and can fail when the user is a smart contract.
Whenever the user either fails to implement the payable fallback function or cumulative gas cost of the function sequence invoked on a native token transfer exceeds 2300 gas consumption limit the native tokens sent end up undelivered and the corresponding user funds return functionality will fail each time.
None
Using low-level call.value(amount) with the corresponding result check or using the OpenZeppelin Address.sendValue is advised: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/Address.sol#L60
#0 - GalloDaSballo
2022-08-14T23:18:03Z
Downgrading to Low in lack of a reasonable revert example