Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $50,000 USDC
Total HM: 31
Participants: 99
Period: 5 days
Judges: moose-code, JasoonS, denhampreen
Total Solo HM: 17
Id: 139
League: ETH
Rank: 78/99
Findings: 1
Award: $53.16
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, FudgyDRS, Funen, GalloDaSballo, GimelSec, JC, Kaiziron, Lambda, Limbooo, Metatron, MiloTruck, Noah3o6, Picodes, PumpkingWok, PwnedNoMore, Sm4rty, StErMi, TomJ, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ak1, antonttc, berndartmueller, cccz, cryptphi, csanuragjain, defsec, delfin454000, dipp, elprofesor, exd0tpy, fatherOfBlocks, hake, hansfriese, hubble, joestakey, kenta, ladboy233, mics, oyc_109, pashov, pedr02b2, reassor, robee, samruna, scaraven, shung, sikorico, simon135, sseefried, tchkvsky, unforgiven, zzzitron
53.1558 USDC - $53.16
setAffiliateFee in Staking.sol does not enforce the upper limitAn upper limit should be enforced when setting a new fee (as in LiquidityReserve.sol:setFee), to prevent the fee from being accidently set to BASIS_POINT or more which could result in broken functionality throughout the Staking.sol contract including in the _sendAffiliateFee function.
Set a condition in setAffiliateFee that prevents the fee from being set to more than BASIS_POINTS. Ideally a max fee variable should be used which is much less than 100%.
If STAKING_TOKEN is a token that charges a fee on transfer then the stake function in Staking.sol might revert.
_depositFor function in Tokemak's Staking.sol(https://github.com/Tokemak/tokemak-smart-contracts-public/blob/main/contracts/staking/Staking.sol#L410):
tokeToken.safeTransferFrom(msg.sender, address(this), amount);
After the staking token is transferred to Yieldy Staking.sol, the amount is then deposited into Tokemak where the transaction will revert in the line shown above due to the Yieldy staking contract not having enough staking tokens .
When staking tokens are transferred into Staking.sol, check the balances before and after the transfer and use the difference of the balances instead of the supplied amount.