Paladin - Warden Pledges contest - cryptonue's results

Lines of code

https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L653-L654

Vulnerability details

Impact

Potential Rug Vector via recoverERC20

Proof of Concept

There is a function called recoverERC20() which initially created to "Recover ERC20 tokens sent by mistake to the contract". To make it trustable, the function need to check if minAmountRewardToken[token] != 0 so that any active or whitelisted tokens will not affected with this function.

But, if this recoverERC20() function is called after removeRewardToken() being called for the same token, then the rug vector is clearly visible.

Tools Used

Manual analysis

Recommended Mitigation Steps

If the intention of recoverERC20() function is to recover token sent by mistake, then we need to check if the token is already have a pledge active or not. If it's really a mistake then normally there is no pledge for that token. If there's a pledge active for that token, surely we need to make sure the creator (other user) need to withdraw their token first.

[L] Amount to delegate is not checked thoroughly

in _pledge() internal function, the amount value is only check if it's not 0, but not being checked to at least to make the slope > 0 (in L:256), in other word if the amount is less than boostDuration value, it will make the slope 0, when this slope is 0, the bias, totalDelegatedAmount, and rewardAmount will also 0, thus waste of gas for transferring 0 token reward.

File: WardenPledge.sol
234:         if(endTimestamp > pledgeParams.endTimestamp || endTimestamp != _getRoundedTimestamp(endTimestamp)) revert Errors.InvalidEndTimestamp();

237:         uint256 boostDuration = endTimestamp - block.timestamp;

256:         uint256 slope = amount / boostDuration;
257:         uint256 bias = slope * boostDuration;

263:         uint256 totalDelegatedAmount = ((bias * boostDuration) + bias) / 2;
264:         // Then we can calculate the total amount of rewards for this Boost
265:         uint256 rewardAmount = (totalDelegatedAmount * pledgeParams.rewardPerVote) / UNIT;
266: 
267:         if(rewardAmount > pledgeAvailableRewardAmounts[pledgeId]) revert Errors.RewardsBalanceTooLow();
268:         pledgeAvailableRewardAmounts[pledgeId] -= rewardAmount;
269: 
270:         // Send the rewards to the user
271:         IERC20(pledgeParams.rewardToken).safeTransfer(user, rewardAmount);

[NC] Typo

Protocol vs Protocal

File: WardenPledge.sol
70:     /** @notice ratio of fees to pay the protocol (in BPS) */
71:     uint256 public protocalFeeRatio = 250; //bps

328:         vars.feeAmount = (vars.totalRewardAmount * protocalFeeRatio) / MAX_PCT ;

388:         uint256 feeAmount = (totalRewardAmount * protocalFeeRatio) / MAX_PCT ;

433:         uint256 feeAmount = (totalRewardAmount * protocalFeeRatio) / MAX_PCT ;

627:         uint256 oldfee = protocalFeeRatio;
628:         protocalFeeRatio = newFee;

[NC] Unfinished Comment for events

Events descriptions is not finished it will make the contract less prepared

/** @notice Event emitted when xx */

[NC] NUMERIC VALUES HAVING TO DO WITH TIME SHOULD USE TIME UNITS FOR READABILITY

There are units for seconds, minutes, hours, days, and weeks

File: WardenPledge.sol
24:     uint256 public constant WEEK = 7 * 86400;

[NC] LINE WIDTH

Keep line width to max 120 characters for better readability.