Platform: Code4rena
Start Date: 09/09/2021
Pot Size: $60,000 USDC
Total HM: 24
Participants: 12
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 14
Id: 30
League: ETH
Rank: 12/12
Findings: 2
Award: $85.12
🌟 Selected for report: 2
🚀 Solo Findings: 0
6.7734 YAXIS - $26.42
gpersoon
The function depositMultipleVault of VaultHelper doesn't check the array size of _tokens and _amounts are the same length. In previous version of solidity there were bugs with giving an enormous large array to a function which accepted memory arrays. Although depositMultipleVault uses calldata arrays, it is probably better to add a check on the length.
On the other hand the function depositMultiple of Vault.sol does check it.
https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/VaultHelper.sol#L57
function depositMultipleVault( address _vault, address[] calldata _tokens, uint256[] calldata _amounts ) external { for (uint8 i = 0; i < _amounts.length; i++) { ...
https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/Vault.sol#L188
function depositMultiple( address[] calldata _tokens, uint256[] calldata _amounts ) external override notHalted returns (uint256 _shares) { require(_tokens.length == _amounts.length, "!length"); for (uint8 i; i < _amounts.length; i++) { ...
Add something like the following in depositMultipleVault: require(_tokens.length == _amounts.length, "!length");
#0 - Haz077
2021-09-20T19:00:58Z
Edits are added in code-423n4/2021-09-yaxis#9
#1 - GalloDaSballo
2021-10-12T21:47:27Z
This submission is the highest quality between this and (duplicate #33)
I downgreade the severtity to gas as in the worst case it would waste gas on a revert
Sponsor mitigated as of 22 days ago
🌟 Selected for report: gpersoon
15.052 YAXIS - $58.70
gpersoon
The function withdraw of Vault.sol calculates _toWithdraw, _after and _diff if _diff < _toWithdraw then: _amount = _balance + _diff, which is the same as: _amount = _balance + _after - _balance, which is the same as: _amount = _after
Changing this makes the code easier to read and save a bit of gas.
https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/Vault.sol#L226
function withdraw(uint256 _shares, address _output) public override checkToken(_output) { uint256 _amount = (balance().mul(_shares)).div(totalSupply()); ... uint256 _balance = IERC20(_output).balanceOf(address(this)); if (_balance < _amount) { IController _controller = IController(manager.controllers(address(this))); uint256 _toWithdraw = _amount.sub(_balance); if (_controller.strategies() > 0) { _controller.withdraw(_output, _toWithdraw); } uint256 _after = IERC20(_output).balanceOf(address(this)); uint256 _diff = _after.sub(_balance); if (_diff < _toWithdraw) { _amount = _balance.add(_diff); // == _balance + (_after - _balance) == _after } }
replace
_amount = _balance.add(_diff);
with
_amount = _after;
#0 - GalloDaSballo
2021-10-12T22:48:07Z
Agree with finding and recommended steps, code is cleaner and saves gas