Platform: Code4rena
Start Date: 15/12/2022
Pot Size: $128,000 USDC
Total HM: 28
Participants: 111
Period: 19 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 194
League: ETH
Rank: 87/111
Findings: 2
Award: $32.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xdeadbeef0x
Also found by: 0xLad, 0xNazgul, 0xSmartContract, 0xbepresent, Arbor-Finance, Breeje, HE1M, IllIllI, Qeew, Rolezn, SEVEN, SamGMK, SmartSek, TomJ, WatchDogs, ak1, btk, ck, datapunk, dic0de, eierina, fs0c, hansfriese, koxuan, ladboy233, peanuts, rvierdiiev, sces60107, tonisives, unforgiven, yongskiws
14.9051 USDC - $14.91
The TokenggAVAX contract is based on the ERC4626 where the shares are calculated based on the deposit value.
By depositing large amount as initial deposit, initial depositor can influence the future depositors value. Shares are minted based on the deposit value as seen here: https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/tokens/TokenggAVAX.sol#L165-L178.
By depositing large amount as initial deposit, first depositor can take advantage over other depositors. Future depositors are forced for huge value of asset to deposit. It is not practically possible for all the users and this could directly affect on the attrition of users towards this system.
The issue is referenced here :
Consider requiring a minimal amount of share tokens to be minted for the first minter, and send a port of the initial mints as a reserve so that the pricePerShare can be more resistant to manipulation.
#0 - c4-judge
2023-01-08T13:12:09Z
GalloDaSballo marked the issue as duplicate of #209
#1 - c4-judge
2023-02-08T09:45:01Z
GalloDaSballo marked the issue as satisfactory
🌟 Selected for report: imare
Also found by: 0Kage, 0xbepresent, AkshaySrivastav, Faith, HollaDieWaldfee, Jeiwan, Saintcode_, betweenETHlines, btk, dic0de, enckrish, gz627, imare, jadezti, kaliberpoziomka8552, nogo, simon135, sk8erboy
17.3743 USDC - $17.37
The disableMultisig () function is a privileged function which disables registered multisig. This is done by setting the multisig to false as seen here: https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/MultisigManager.sol#L74.
The function comments states /// @dev this will prevent the multisig from completing validations. The minipool will need to be manually reassigned to a new multisig. As a result, it is not intended that once a multisig is disabled it would be enabled again. With the deployed mechanism of disabling a multisig as seen in disableMultisig () function which would simply set the multisig to false, provides the opportunity for a disabled multisig to be set to true in the future.
If the intention of the project is to ensure that disabled multisigs cannot be re-enabled in future, then it should consider not only setting the multisig to false but also completely unregistering the multisig.
f the intention of the project is to ensure that disabled multisigs cannot be re-enabled in future, then it should consider not only setting the multisig to false but also completely unregistering the multisig.
#0 - c4-judge
2023-01-10T07:54:03Z
GalloDaSballo marked the issue as duplicate of #618
#1 - c4-judge
2023-02-01T19:57:26Z
GalloDaSballo marked the issue as duplicate of #702
#2 - GalloDaSballo
2023-02-02T11:57:14Z
See #618
#3 - c4-judge
2023-02-02T11:57:19Z
GalloDaSballo marked the issue as partial-50