Back to codexploder's contests

Velodrome Finance contest - codexploder's results

A base layer AMM on Optimism, inspired by Solidly.

General Information

Platform: Code4rena

Start Date: 23/05/2022

Pot Size: $75,000 USDC

Total HM: 23

Participants: 75

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 13

Id: 130

League: ETH

Velodrome Finance

Findings Distribution

Researcher Performance

Rank: 14/75

Findings: 1

Award: $873.88

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryVelodrome Finance

Findings Information

🌟 Selected for report: hyh

Also found by: codexploder

Labels

bug
duplicate
2 (Med Risk)

Awards

873.8766 USDC - $873.88

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Gauge.sol#L558

Vulnerability details

Impact

Before changing any balance _updateRewardForAllTokens should always be called, otherwise rewards will be messed. This is done correctly in withdraw function but is missing in withdrawToken function

Proof of Concept

  1. User calls withdrawToken function

  2. The balances are directly updated and _updateRewardForAllTokens is never called

  3. This means rewards will be calculated next with incorrect balances

The withdrawToken function should be revised to have update reward call in starting before impacting any balance

function withdrawToken(uint amount, uint tokenId) public lock {
_updateRewardForAllTokens();
...
}

#0 - pooltypes

2022-06-13T17:49:38Z

Duplicate of #50

#1 - GalloDaSballo

2022-06-29T20:21:11Z

Dup of #50

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter