Platform: Code4rena
Start Date: 13/05/2022
Pot Size: $30,000 USDC
Total HM: 8
Participants: 65
Period: 3 days
Judge: hickuphh3
Total Solo HM: 1
Id: 125
League: ETH
Rank: 16/65
Findings: 3
Award: $344.32
π Selected for report: 0
π Solo Findings: 0
π Selected for report: pedroais
Also found by: 0x4non, 0x52, 0xf15ers, 0xliumin, CertoraInc, Dravee, GimelSec, IllIllI, MaratCerby, StErMi, TerrierLover, WatchPug, berndartmueller, cccz, dipp, fatherOfBlocks, hake, hickuphh3, hyh, isamjay, mtz, oyc_109, p4st13r4, peritoflores, rotcivegaf, saian, simon135, sorrynotsorry, sseefried, tabish, z3s
14.8433 USDC - $14.84
GeneralVault.sol#L100-L128 LidoVault.sol#L122-L149
In the _withdrawFromYieldPool function in LidoVault.sol, the receivedETHAmount value is returned before the sent value for the call function is checked on line 142.
When withdrawCollateral is called in LidoVault.sol and the call fails, the transaction does not revert and the user loses the assets withdrawn from the lending pool. The withdrawn assets stay in the contract.
Call withdrawCollateral from LidoVault.sol with _asset = 0x0000000000000000000000000000000000000000, anything for _amount and a valid _to address.
The _amount of stETH is withdrawn from the lending pool.
_withdrawFromYieldPool is called with the stETH amount withdrawn as its _amount value.
In _withdrawFromYieldPool, after the stETH is swapped for ETH, a call to _to is made and the ETH amount received from the swap is sent to the address.
If the call fails, for example the receiving contract does not implement receive or a fallback to receive ETH, then the call should return false and the withdraw transaction should revert. But it does not revert, instead the amount of ETH received from the swap is returned from the _withdrawFromYield function. The ETH acquired from the swap remains in the contract.
#0 - sforman2000
2022-05-18T01:32:04Z
Duplicate of https://github.com/code-423n4/2022-05-sturdy-findings/issues/157 (high risk)
π Selected for report: rotcivegaf
Also found by: AuditsAreUS, MaratCerby, StErMi, berndartmueller, cccz, dipp
283.5578 USDC - $283.56
GeneralVault.sol#L75-L89 LidoVault.sol#L79-L104
When the depositCollateral function is used in the LidoVault.sol contract, a user depositing stETH may mistakenly have a non-zero msg.value. The ETH would be passed to the contract and the user would lose that ETH.
Call the depositCollateral function in the LidoVault.sol contract with _asset as the stETH token address (LIDO), _amount as any withdrawable amount and msg.value as any amount more than 0.
The amount of msg.value in ETH is sent from the msg.sender to LidoVault.sol.
When _depositToYieldPool is called in the depositCollateral function the _amount of stETH will be sent to LidoVault.sol.
Only the _amount of stETH is deposited into the lending pool, since the ETH sent is not swapped for stETH. The ETH sent stays in the contract.
Consider reverting the transaction when the msg.value is not 0 and the _asset value is equal to LIDO.
On line 97 of LidoVault.sol, the condition could change to require(_asset == LIDO && msg.value == 0, Errors.VT_COLLATERAL_DEPOSIT_INVALID).
#0 - sforman2000
2022-05-18T02:27:22Z
π Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xf15ers, 0xkatana, 0xliumin, AlleyCat, BouSalman, Dravee, Funen, GimelSec, Hawkeye, MaratCerby, Picodes, StErMi, TerrierLover, WatchPug, Waze, berndartmueller, bobirichman, cryptphi, csanuragjain, defsec, delfin454000, dipp, fatherOfBlocks, hake, hickuphh3, hyh, joestakey, kebabsec, mics, mtz, oyc_109, p4st13r4, p_crypt0, robee, rotcivegaf, sikorico, simon135, sorrynotsorry, tintin
45.925 USDC - $45.92
When depositing ETH in the depositCollateral function in GeneralVault.sol (when using the LidoVault.sol contract), the _amount in the emitted event may not be the same as the msg.value.
The assumption is that the DepositCollateral event should emit the actual amount deposited.
Consider using the _stAssetAmount value (returned from the _depositToYieldPool function) for the emit instead of the _amount value.
#0 - HickupHH3
2022-06-06T06:43:31Z
low severity issue