Back to climber2002's contests

Asymmetry contest - climber2002's results

A protocol to help diversify and decentralize liquid staking derivatives.

General Information

Platform: Code4rena

Start Date: 24/03/2023

Pot Size: $49,200 USDC

Total HM: 20

Participants: 246

Period: 6 days

Judge: Picodes

Total Solo HM: 1

Id: 226

League: ETH

Asymmetry Finance

Findings Distribution

Researcher Performance

Rank: 172/246

Findings: 1

Award: $13.13

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAsymmetry Finance

Findings Information

🌟 Selected for report: brgltd

Also found by: 0x3b, 0xAgro, 0xGusMcCrae, 0xNorman, 0xRajkumar, 0xSmartContract, 0xTraub, 0xWagmi, 0xWaitress, 0xffchain, 0xhacksmithh, 0xkazim, 0xnev, 3dgeville, ArbitraryExecution, Aymen0909, BRONZEDISC, Bason, Bloqarl, BlueAlder, Brenzee, CodeFoxInc, CodingNameKiki, Cryptor, DadeKuma, DevABDee, Diana, Dug, Englave, Gde, Haipls, HollaDieWaldfee, Ignite, Infect3d, Jerry0x, Josiah, Kaysoft, Koko1912, KrisApostolov, Lavishq, LeoGold, Madalad, PNS, Rappie, RaymondFam, RedTiger, Rickard, Rolezn, Sathish9098, SunSec, T1MOH, UdarTeam, Udsen, Viktor_Cortess, Wander, adriro, ak1, alejandrocovrr, alexzoid, arialblack14, ayden, bin2chen, brevis, btk, c3phas, carlitox477, catellatech, ch0bu, chaduke, ck, climber2002, codeslide, descharre, dingo2077, ernestognw, fatherOfBlocks, favelanky, georgits, helios, hl_, inmarelibero, juancito, ks__xxxxx, lopotras, lukris02, m_Rassska, mahdirostami, maxper, nadin, navinavu, nemveer, p_crypt0, peanuts, pipoca, pixpi, qpzm, rbserver, reassor, roelio, rotcivegaf, scokaf, siddhpurakaran, slvDev, smaul, tnevler, tsvetanovv, turvy_fuzz, vagrant, wen, yac, zzzitron

Awards

13.1298 USDC - $13.13

Labels

bug
grade-b
QA (Quality Assurance)
sponsor confirmed
edited-by-warden
Q-139

External Links

Link to GitHub issue

Add require(_derivativeIndex < derivativeCount) validation in SafETH.adjustWeight

In SafETH.adjustWeight it doesn't make sense if _derivativeIndex >= derivativeCount. It's better to add such check in case of contract owner call this function with wrong params accidentally.

function adjustWeight(
        uint256 _derivativeIndex,
        uint256 _weight
    ) external onlyOwner {
  require(_derivativeIndex < derivativeCount, "Invalid _derivativeIndex");
  ...
}

When unstake user can lose funds if _safEthAmount is extremely small

In unstake it calculates derivativeAmount

uint256 derivativeAmount = (derivatives[i].balance() *
                _safEthAmount) / safEthTotalSupply;

if _safEthAmount is extremely small, then derivativeAmount could be 0 for all derivatives. For example, for 3 derivatives with equal weights, if _safETHAmount is 2wei, then derivativeAmount is 1 * 2 / 3 = 0 for all derivatives.

Recommendation

Revert if ethAmountToWithdraw is 0

Add a function previewUnstake

Currently unstake doesn't return the ETH amount that it's actually unstaked. It's better to have a function previewUnstake(uint256 _safEthAmount) external view returns (uint256) which can let the user know how much ETH he will receive for a given _safEthAmount before doing unstake

#0 - c4-sponsor

2023-04-10T18:50:23Z

elmutt marked the issue as sponsor confirmed

#1 - c4-judge

2023-04-24T19:08:07Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter