Platform: Code4rena
Start Date: 03/02/2022
Pot Size: $75,000 USDC
Total HM: 42
Participants: 52
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 21
Id: 83
League: ETH
Rank: 24/52
Findings: 3
Award: $484.53
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: mtz
Also found by: 0x1f8b, Czar102, GalloDaSballo, GeekyLumberjack, Randyyy, Rhynorater, Ruhum, ShadowyNoobDev, bitbopper, cccz, cmichel, csanuragjain, danb, gzeon, hickuphh3, hyh, leastwood
31.0722 USDC - $31.07
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/Shelter.sol#L52
in the withdraw function in Shelter, one can withdraw infinite times, and by doing so, draining the system.
the function doesn't check that the shares aren't already withdrawn.
#0 - r2moon
2022-02-16T16:51:00Z
#1 - GalloDaSballo
2022-04-12T22:19:21Z
Duplicate of #246
🌟 Selected for report: WatchPug
Also found by: CertoraInc, bobi, csanuragjain, danb, hickuphh3, leastwood
298.6186 USDC - $298.62
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/MasterChef.sol#L159
the user is the user of msg.sender, which is always the StakingRewards contract, instead of _recepient.
one of the problems that are caused by this is that anyone who deposits, will get the rewards of all the other users, because everyone shares the same user (StakingRewards contract address)
discussion with the dev team
change _msgSender() to _recepient in line 159.
#0 - GalloDaSballo
2022-04-17T16:29:18Z
Duplicate of #205
154.8393 USDC - $154.84
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L261 https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L235
in the first link I provided, a hacker can call withdraw with amount = 2**196, the amount of shares that will be burned is uint192(2**192) == 0.
if the system has enough money, the hacker can steal 2**192 tokens and pay nothing.
for the second link, a user that provides more than 2**192 tokens, the amount of shares they will be truncated and they will get less than they should.
use safe cast of openzeppelin.
#0 - GalloDaSballo
2022-04-19T14:18:55Z
While the warden intuition is correct, the lack of POC makes the finding fall under scrutiny.
The casting on the ConvexStakingWrapper is to uint192 however the masterchef contract which will be notified of the withdrawal uses uint128 meaning that the shown POC will revert and won't allow for any value extraction.
If a common denominator between the two where to be found such that _amount was zero in both contracts, then value extraction could happen.
However this POC is not developed enough to sustain this reasoning.
Because of that I'm going to mark this as duplicate of #194 as the casting problem is more developed there