Back to georgypetrov's contests

Badger-Vested-Aura contest - georgypetrov's results

Bringing BTC to DeFi

General Information

Platform: Code4rena

Start Date: 15/06/2022

Pot Size: $30,000 USDC

Total HM: 5

Participants: 55

Period: 3 days

Judge: Jack the Pug

Id: 138

League: ETH

BadgerDAO

Findings Distribution

Researcher Performance

Rank: 47/55

Findings: 1

Award: $50.71

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBadgerDAO

Findings Information

🌟 Selected for report: Picodes

Also found by: 0x1f8b, 0x52, Chom, GimelSec, IllIllI, berndartmueller, cccz, defsec, georgypetrov, hyh, kenzo, minhquanym, oyc_109, scaraven, unforgiven

Awards

50.7077 USDC - $50.71

Labels

bug
duplicate
2 (Med Risk)
sponsor acknowledged
valid

External Links

Link to GitHub issue

Lines of code

https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L249 https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L275 https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L259

Vulnerability details

Impact

There is no check on minimum amounts out on swaps, it creates an opportunity to perform a sandwich attack to harvest function execution. Also exitPool call also has zero minimum amounts out

Add slippage limit maybe using oracles

#0 - GalloDaSballo

2022-06-17T15:47:10Z

Agree with the possibility, we mitigate via Private Transactions

#1 - KenzoAgada

2022-06-22T10:21:02Z

Duplicate of #155

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter