Platform: Code4rena
Start Date: 09/11/2021
Pot Size: $75,000 USDC
Total HM: 57
Participants: 27
Period: 7 days
Judge: alcueca
Total Solo HM: 49
Id: 52
League: ETH
Rank: 6/27
Findings: 4
Award: $3,549.86
π Selected for report: 5
π Solo Findings: 2
π Selected for report: gzeon
1619.075 USDC - $1,619.07
gzeon
Vader reimburse user IL immediately when user withdraw from the pool (VaderRouterV2.sol:L227), an attacker can therefore manipulate the pool balance causing a high IL, remove liquidity and restore the pool balance such that he will receive a larger IL reimbursement.
Let's assume our attacker own 100% of FOO-VADER
The profit is constrained by gas cost, pool fee, % of pool controlled by the attacker and % of IL protection.
Use twap price to determine P1 in VaderMath.sol:L84 when calculating IL to reduce risk of manipulation
#0 - SamSteinGG
2021-11-25T12:28:41Z
Duplicate of #2
#1 - alcueca
2021-12-10T15:00:22Z
Doesn't seem like a duplicate to me, @SamSteinGG?
#2 - SamSteinGG
2021-12-16T11:48:59Z
@alcueca The stated trade cannot occur as trades are inherently limited by the CLP design of the protocol to one third of the available pair liquidity. As such, the illustrated pair would actually result in almost zero units retrieved back.
π Selected for report: gzeon
1619.075 USDC - $1,619.07
gzeon
Since veto ensure none of the actions in proposal being vetoed point to the contract (GovernorAlpha.sol:L562), a malicious proposal can be designed to have an action that point to governance and therefore effectively cannot be vetoed.
For any attacker who want to launch a governance attack using a malicious proposal, they simply need to add an action that point to governance that does nothing (or anything).
Some other design can be proposal are vetoable whenever the differential is less than x%, even if it involves governance change, s.t. council can veto most malicious proposal while it is still possible to change council given high enough vote differential.
#0 - SamSteinGG
2021-11-20T06:55:50Z
Duplicate of #61
#1 - alcueca
2021-12-10T14:52:42Z
Not a duplicate
#2 - MrToph
2022-03-22T15:01:46Z
Duplicate of #167
12.5116 USDC - $12.51
gzeon
VaderMath.sol:L84 safe maths can be wrapped by a unchecked block to save gas on solidity 0.8.0+
#0 - SamSteinGG
2021-11-20T06:53:24Z
Duplicate of #43
π Selected for report: gzeon
68.651 USDC - $68.65
gzeon
Migrations.sol:L16 restricted can be inlined to save gas vs using modifier
π Selected for report: gzeon
161.9075 USDC - $161.91
gzeon
TwapOracle.sol:L187 said disabled doesn't match the check in L182
function vaderToUsdv(uint256 vaderAmount) external view returns (uint256) { if (!_usdvEnabled) { // HERE IS DISABLED // consult call returns true USD amount against 1 Vader and is multiplied with {vaderAmount}. return consult(VADER) * vaderAmount; } // HERE IS ENABLED // usdv price is disabled so true USD value of both Vader and USDV is taken into account. return vaderAmount / getRate(); }
Not sure about the proper logic, please confirm.
#0 - SamSteinGG
2021-11-25T12:29:23Z
This is a comment finding and as such should be a no risk
#1 - alcueca
2021-12-11T07:25:53Z
Issues with comments are severity 1
#2 - SamSteinGG
2021-12-22T07:38:59Z
The TWAP oracle module has been completely removed and redesigned from scratch as LBTwap that is subject of the new audit.
π Selected for report: gzeon
68.651 USDC - $68.65
gzeon
VaderMath.sol:L88 releasedValue can be simplified as (releasedVader + releasedVader)