Yeti Finance contest - dalgarim's results

Portfolio borrowing. 11x leverage. 0% interest.

General Information

Platform: Code4rena

Start Date: 16/12/2021

Pot Size: $100,000 USDC

Total HM: 21

Participants: 25

Period: 7 days

Judge: alcueca

Total Solo HM: 12

Id: 66

League: ETH

Yeti Finance

Findings Distribution

Researcher Performance

Rank: 8/25

Findings: 3

Award: $3,851.68

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Yeti Finance

Findings Information

🌟 Selected for report: jayjonah8

Also found by: dalgarim, kenzo

Labels

bug

duplicate

3 (High Risk)

disagree with severity

Awards

1434.4958 USDC - $1,434.50

External Links

Link to GitHub issue

Handle

dalgarim

Vulnerability details

Impact

The comment on the "StabilityPool.receiveCollateral" function states that this function should be called by ActivePool. However this function doesn't implement access control which checks whether the caller is actually ActivePool or not. As this function emit the "StabilityPoolBalancesUpdated" event, malicious user can contaminate events log by calling this function many times.

Proof of Concept

receiveCollateral

    // Should be called by ActivePool
    // __after__ collateral is transferred to this contract from Active Pool
    function receiveCollateral(address[] memory _tokens, uint256[] memory _amounts)
        external
        override
    {
        totalColl.amounts = _leftSumColls(totalColl, _tokens, _amounts);
        emit StabilityPoolBalancesUpdated(_tokens, _amounts);
    }

Tools Used

Manual

Recommended Mitigation Steps

Adding _requireCallerIsActivePool() on the function is required.

#0 - kingyetifinance
2022-01-05T09:16:41Z

@LilYeti: This is actually a very severe issue, and should be severity 3 like duplicate issue #74 Congrats @dalgarim

Findings Information

🌟 Selected for report: dalgarim

Also found by: cmichel, p4st13r4

Labels

bug

G (Gas Optimization)

sponsor confirmed

Awards

26.3494 USDC - $26.35

External Links

Link to GitHub issue

Handle

dalgarim

Vulnerability details

Impact

sYETIToken.sol mint function checks if msg.sender is zero address. It is extremely unlikely that someone possesses a private key of zero address. This 'require' statement semantically has no meaning

Proof of Concept

mint

function mint(uint256 amount) public returns (bool) {
        require(msg.sender != address(0), "Zero address");
        User memory user = users[msg.sender];

        uint256 shares = totalSupply == 0 ? amount : (amount * totalSupply) / effectiveYetiTokenBalance;
        user.balance += shares.to128();
        user.lockedUntil = (block.timestamp + LOCK_TIME).to128();
        users[msg.sender] = user;
        totalSupply += shares;

        yetiToken.sendToSYETI(msg.sender, amount);
        effectiveYetiTokenBalance = effectiveYetiTokenBalance.add(amount);

        emit Transfer(address(0), msg.sender, shares);
        return true;
    }

Tools Used

Manual

Recommended Mitigation Steps

The require statement can be removed

Yeti Finance contest - dalgarim's results

Portfolio borrowing. 11x leverage. 0% interest.

General Information

Findings Distribution

Researcher Performance

External Links

[H-01] StabilityPool.receiveCollateral function doesn't have access control - $1,434.50

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - kingyetifinance2022-01-05T09:16:41Z

Gas Report - $26.35

Gas Report - $26.35

🌟 [G-23] Checking zero address on msg.sender is impractical - $26.35

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - kingyetifinance
2022-01-05T09:16:41Z