Platform: Code4rena
Start Date: 27/10/2022
Pot Size: $33,500 USDC
Total HM: 8
Participants: 96
Period: 3 days
Judge: kirk-baird
Total Solo HM: 1
Id: 176
League: ETH
Rank: 2/96
Findings: 4
Award: $5,659.22
🌟 Selected for report: 1
🚀 Solo Findings: 1
🌟 Selected for report: cccz
5382.1424 USDC - $5,382.14
In the _pledge function, require delegationBoost.adjusted_balance_of(pledgeParams.receiver) + amount <= pledgeParams.targetVotes. In reality, when the user pledges amount votes, the actual votes received by the receiver are the bias in the following calculation. And the bias will be less than amount due to the loss of precision.
uint256 slope = amount / boostDuration; uint256 bias = slope * boostDuration;
This means that the balance of receiver may not reach targetVotes
point = self._checkpoint_read(_user, False) amount += (point.bias - point.slope * (block.timestamp - point.ts)) return amount
https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L245-L246 https://github.com/curvefi/curve-veBoost/blob/master/contracts/BoostV2.vy#L192-L209 https://github.com/curvefi/curve-veBoost/blob/master/contracts/BoostV2.vy#L175
None
Use bias instead of amount in the check below
uint256 slope = amount / boostDuration; uint256 bias = slope * boostDuration; if(delegationBoost.adjusted_balance_of(pledgeParams.receiver) + bias > pledgeParams.targetVotes) revert Errors.TargetVotesOverflow(); delegationBoost.boost( pledgeParams.receiver, amount, endTimestamp, user );
#0 - Kogaroshi
2022-10-30T23:12:26Z
The current check is made that way to prevent any unnecessary call to the BoostV2 contract (and save gas by not creating the Boost) in the case of a targetVotes overflow.
#1 - c4-judge
2022-11-11T07:59:37Z
kirk-baird marked the issue as satisfactory
#2 - trust1995
2022-11-17T15:46:08Z
I believe there is no actual M level issue here, the worst case scenario is an inconvenience so that user has to pass bias (i.e. rounded amount) instead of amount (I presume this will already occur in the front end). No risk of funds or malfunctioning of the protocol shown.
🌟 Selected for report: ladboy233
Also found by: 0x52, 0xDecorativePineapple, 0xhunter, Aymen0909, Bnke0x0, Dravee, JTJabba, Jeiwan, Lambda, Nyx, Picodes, Trust, cccz, cryptonue, csanuragjain, dic0de, hansfriese, horsefacts, imare, minhtrng, pashov, peritoflores, rbserver, rvierdiiev, wagmi, yixxas
9.9073 USDC - $9.91
In the recoverERC20 function, when minAmountRewardToken[token] ! = 0, the token cannot be withdrawn by the owner. However, the owner can call the removeRewardToken function to make minAmountRewardToken[token] == 0 and then call the recoverERC20 function to rug that reward token.
https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L653-L661 https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L585-L592
None
Consider removing the recoverERC20 function
#0 - Kogaroshi
2022-10-30T23:16:43Z
Duplicate of #17
#1 - c4-judge
2022-11-10T07:44:35Z
kirk-baird marked the issue as not a duplicate
#2 - c4-judge
2022-11-10T07:44:42Z
kirk-baird marked the issue as duplicate
#3 - c4-judge
2022-11-10T21:25:07Z
kirk-baird marked the issue as satisfactory
#4 - c4-judge
2022-11-10T21:25:12Z
kirk-baird marked the issue as not a duplicate
#5 - c4-judge
2022-11-10T21:25:20Z
kirk-baird marked the issue as duplicate of #17
#6 - c4-judge
2022-12-06T17:32:42Z
Simon-Busch marked the issue as duplicate of #68
🌟 Selected for report: rbserver
Also found by: 0x1f8b, 0xSmartContract, Trust, cccz, codexploder, ctf_sec, hansfriese
247.5252 USDC - $247.53
When the system is paused, the creator cannot withdraw the remaining reward tokens via the retrievePledgeRewards/closePledge functions. Considering that when the system is paused, the user cannot increase the creator's vote via the _pledge function, the creator may want to withdraw his reward tokens since no new pledges are attracted, so the whenNotPaused modifier should not be added to the retrievePledgeRewards/closePledge functions. And if the system is paused indefinitely, the creator's reward tokens will be frozen in the contract
https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L456-L457 https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L488-L489
None
Consider removing the whenNotPaused modifier from the retrievePledgeRewards/closePledge functions.
#0 - trust1995
2022-10-30T22:07:35Z
Nice, dup of #233
#1 - Kogaroshi
2022-10-30T23:14:01Z
Duplicate of #70
#2 - c4-judge
2022-11-11T08:02:06Z
kirk-baird marked the issue as not a duplicate
#3 - c4-judge
2022-11-11T08:02:10Z
kirk-baird marked the issue as primary issue
#4 - c4-judge
2022-11-11T08:06:22Z
kirk-baird marked the issue as satisfactory
#5 - Simon-Busch
2022-11-11T08:07:50Z
Removed "primary issue" as request by @kirk-baird
#6 - c4-judge
2022-11-11T08:09:08Z
kirk-baird marked the issue as duplicate of #70
#7 - c4-judge
2022-12-06T17:36:20Z
Simon-Busch marked the issue as duplicate of #269
🌟 Selected for report: robee
Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas
19.6449 USDC - $19.64
There are ERC20 tokens that charge fee for every transfer() or transferFrom().
The reward token may be fee-on-transfer token.
In the current implementation, createPledge/extendPledge/increasePledgeRewardPerVote assumes that the received amount is the same as the transfer amount, and uses it to calculate rewardPerVote.
As a result, in _pledge(), later users may not be able to successfully claim their rewards, as it may revert for insufficient balance. And in retrievePledgeRewards()/closePledge(), the creator cannot withdraw the remaining reward tokens due to insufficient balance.
https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L266-L271 https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L466-L475 https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L502-L508
None
Consider getting the received amount by calculating the difference of token balance (using balanceOf) before and after the transferFrom.
#0 - Kogaroshi
2022-10-30T23:15:39Z
Duplicate of #27
#1 - c4-judge
2022-11-10T07:23:07Z
kirk-baird marked the issue as not a duplicate
#2 - c4-judge
2022-11-10T07:23:17Z
kirk-baird marked the issue as duplicate
#3 - c4-judge
2022-11-10T07:34:02Z
kirk-baird marked the issue as not a duplicate
#4 - c4-judge
2022-11-10T07:34:09Z
kirk-baird changed the severity to QA (Quality Assurance)
#5 - c4-judge
2022-11-11T23:53:52Z
kirk-baird marked the issue as grade-b