Platform: Code4rena
Start Date: 09/09/2021
Pot Size: $60,000 USDC
Total HM: 24
Participants: 12
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 14
Id: 30
League: ETH
Rank: 11/12
Findings: 2
Award: $228.57
๐ Selected for report: 1
๐ Solo Findings: 0
defsec
It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelinโs safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.
While most places use a require or safeTransfer/safeTransferFrom, there are three missing cases in the withdrawal of staking token and rescue of arbitrary tokens sent to the Manager contract.
Reference this similar medium-severity finding from Consensys Diligence Audit of Fei Protocol: https://consensys.net/diligence/audits/2021/01/fei-protocol/#unchecked-return-value-for-iweth-transfer-call
Manual Code Review
Consider using safeTransfer/safeTransferFrom or require() consistently.
#0 - transferAndCall
2021-09-12T20:19:11Z
#1 - GalloDaSballo
2021-10-14T00:00:41Z
Duplicate of #114
20.9319 YAXIS - $81.63
defsec
During the manual code review, It has been observed that harvesting and fundings progress is not checked when the contract is halted. This can cause misfunctionality and locking user funds during the halt progress.
1-) Navigate to "https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/controllers/Controller.sol" contract. 2-) Observe the following code on the Controller.sol.
Functions earn and HarvestStrategy
function harvestStrategy(address _strategy,uint256 _estimatedWETH,uint256 _estimatedYAXIS) external override onlyHarvester onlyStrategy(_strategy) function earn( address _strategy, address _token, uint256 _amount ) external override onlyStrategy(_strategy) onlyVault(_token)
None
Implement the notHalt modifier into the functions. Only withdraw functions should be allowed on the contract.
#0 - transferAndCall
2021-09-12T19:54:18Z
Please review https://github.com/code-423n4/2021-09-yaxis/pull/6 and verify resolution.