Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 80/125
Findings: 1
Award: $9.82
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RED-LOTUS-REACH
Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie
9.8204 USDC - $9.82
There is a receive() payable function which implies funds can be sent directly to the LendingLedger.sol (AKA dust) and the only way to recover funds is throuh the claim function, which does not take into account this behavior. That means, the dust in the contract is locked. Consider adding a method to recover dust sent to the contract, like
function recoverDust(address target, uint256 amount) public onlyGovernance { require(target, "recoverDust -> target == 0"); (bool success, ) = target.call{value: amount}(""); require(success, "recoverDust -> Failed call"); }
CHECK => LendingLedger.sol#L63
CHECK => LendingLedger.sol#L86
Both lines are calculating updateUntilEpoch before the if-else clause which is just used on the else one. Consider moving that calculation to the else clause to be consistent with the expected "workflow" (that is, don't do unnecessary things)
weeks instead of days when defining "full-weeks" constants (the same for "full-years")In VotingEscrow it defines the constant WEEK as 7 days, instead of the builtin solidity definition. Rely on them instead of hardcoding them as days (increases readiness from a developer point of view). The same applies to LOCKTIME, which is equal to 5 years and the current definition is not very straightforward.
uint256 public constant WEEK = 7 days; <================ shall be 1 weeks which is more explicit uint256 public constant LOCKTIME = 1825 days; <======== shall be 5 years
The same applies to GaugeController.sol#L16
Retrieving the last user points from the Voting Scrow in the GaugeController.sol#L215-L220 is done by ommiting the bias and ts returned values. For readiness, they are written as comments, but the /*int128 bias*/ one is placed within slope_ instead of before the comma. Consider putting the /*int128 bias*/ before the comma:
( /*int128 bias*/, int128 slope_, /*uint256 ts*/ ) = ve.getLastUserPoint(msg.sender);
instead of the current implementation
( , /*int128 bias*/ int128 slope_, /*uint256 ts*/ ) = ve.getLastUserPoint(msg.sender);
#0 - c4-judge
2023-08-22T14:18:06Z
alcueca marked the issue as grade-a