Platform: Code4rena
Start Date: 14/04/2022
Pot Size: $75,000 USDC
Total HM: 8
Participants: 72
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 2
Id: 110
League: ETH
Rank: 59/72
Findings: 1
Award: $91.39
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xkatana, AmitN, CertoraInc, Dravee, Funen, Hawkeye, Jujic, MaratCerby, Picodes, Ruhum, SolidityScan, TerrierLover, TomFrenchBlockchain, TrungOre, VAD37, Yiko, berndartmueller, cmichel, csanuragjain, danb, defsec, delfin454000, dipp, ellahi, fatherOfBlocks, georgypetrov, gs8nrv, gzeon, horsefacts, hubble, hyh, ilan, jah, joestakey, kebabsec, kenta, kyliek, m9800, minhquanym, oyc_109, p_crypt0, peritoflores, rayn, reassor, remora, rfa, robee, scaraven, securerodd, shenwilly, sorrynotsorry, tchkvsky, teryanarmen, z3s
91.3943 USDC - $91.39
citadelPriceInAsset value check might lead to unintended deposit functionality in Funding.solIn the getAmountOut function of Funding.sol, if citadelPriceInAsset is not set (equal to 0) then citadelAmountWithoutDiscount will equal 0 and the getAmountOut function will return 0.
When getAmountOut is called in deposit, citadelAmount_ will be equal to 0. If the _minCitadelOut parameter in deposit is set to more than 0, the require on line 178 would fail, not allowing a user to deposit. If _minCitadelOut is set to 0 then the require condition would be passed. However, when depositFor is called on line 184 the transaction will fail due to the amount in depositFor being equal to 0.
Without the citadelPriceInAsset value being set, users would not be able to use deposit.
A possible fix would be to set the citadelPriceInAsset value before calculating citadelAmountWithoutDiscount in getAmountOut.
deposit function in Funding.solThe comment describes the parameter _minCitadelOut as 'ID of DAO to vote for' and should instead be something along the lines of 'minimum CTDL tokens to be received'.