Platform: Code4rena
Start Date: 10/03/2022
Pot Size: $75,000 USDT
Total HM: 25
Participants: 54
Period: 7 days
Judge: pauliax
Total Solo HM: 10
Id: 97
League: ETH
Rank: 15/54
Findings: 4
Award: $860.62
🌟 Selected for report: 1
🚀 Solo Findings: 0
99.257 USDT - $99.26
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L180
the admin can steal all user funds, which may lead to reputation risk.
#0 - ankurdubey521
2022-03-30T11:14:51Z
I agree this is an issue, but in the current iteration of Hyphen it is still a centralized system, therefore there is an implicit trust in the contract owners and executors. A decentralized version of the Hyphen bridge is in the works and will fix these issues.
#1 - pauliax
2022-04-26T11:09:36Z
560.3084 USDT - $560.31
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L220 https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L233
In deposit function it is possible to push to nftIdsStaked of anyone, an attacker can deposit too many nfts to another user, and when the user will try to withdraw an nft at the end of the list, they will iterate on the list and revert because of gas limit.
#0 - pauliax
2022-04-26T11:33:48Z
A valid concern, but I think it should be of medium severity because the victim can still withdraw NFTs one by one until reaching the necessary index because it breaks inside the loop: https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L234-L235
80.3981 USDT - $80.40
The admin can change the fee to more than 100 percent.
Add sanity checks on the fees.
#0 - pauliax
2022-04-30T17:26:25Z
🌟 Selected for report: hickuphh3
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, Dravee, IllIllI, PPrieditis, Ruhum, TerrierLover, WatchPug, XDms, benk10, berndartmueller, bitbopper, catchup, cmichel, cryptphi, csanuragjain, danb, defsec, gzeon, hagrid, hubble, jayjonah8, kenta, kyliek, minhquanym, rfa, robee, saian, samruna, throttle, ye0lde, z3s
120.6516 USDT - $120.65
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityPool.sol#L431
the receive function in LiquidityPool is redundant and dangerous because it allows users to send ether when they shouldn't.
#0 - pauliax
2022-05-02T10:53:35Z
It is not entirely useless:
(bool success, ) = address(liquidityPool).call{value: msg.value}("");
but it would be better to have an appropriate auth control, see: #157
#1 - pauliax
2022-06-03T17:59:49Z
#2 - pauliax
2022-06-03T18:01:08Z
This warden does not have a QA report, thus I am opening this issue as such.