Platform: Code4rena
Start Date: 21/12/2021
Pot Size: $30,000 USDC
Total HM: 20
Participants: 20
Period: 5 days
Judge: Jack the Pug
Total Solo HM: 13
Id: 70
League: ETH
Rank: 7/20
Findings: 2
Award: $599.62
🌟 Selected for report: 1
🚀 Solo Findings: 1
🌟 Selected for report: gzeon
431.3773 USDC - $431.38
gzeon
Oracles are mapped to the foreignAsset but not to the specific pair. Pairs with the same foreignAsset (e.g. UniswapV2 and Sushi) will be forced to use the same oracle. Generally this should be the expected behavior but there are also possibility that while adding a new pair changed the oracle of an older pair unexpectedly.
oracles[foreignAsset] = oracle;
Bind the oracle to pair instead
64.7066 USDC - $64.71
gzeon
addVaderPair does not check if the pair is already added, duplicates can be added which will lead to double-counting of liquidity.
Notably the pair will be added to vaderPairs which will be iterated over in e.g. syncVaderPrice
https://github.com/code-423n4/2021-12-vader/blob/9fb7f206eaff1863aeeb8f997e0f21ea74e78b49/contracts/lbt/LiquidityBasedTWAP.sol#L301
vaderPairs.push(pair);
uint256 totalPairs = vaderPairs.length; pastLiquidityWeights = new uint256[](totalPairs); pastTotalLiquidityWeight = totalLiquidityWeight[uint256(Paths.VADER)]; for (uint256 i; i < totalPairs; ++i) {
Check if the pair already exists in vaderPairs
#0 - jack-the-pug
2022-03-13T07:16:30Z
Downgrading to low because the impact is low and the precondition is the owner's misbehavior.
#1 - jack-the-pug
2022-03-13T07:17:03Z
Dup #102
64.7066 USDC - $64.71
gzeon
There are no way to remove/change existing pair in LiquidityBasedTWAP. This will become an issue if any of the oracle is down for extended period since most interaction with the contract will invoke getChainlinkPrice on all foreign asset, a broken oracle will revert all tx and make the protocol unusable.
require( answeredInRound >= roundID, "LBTWAP::getChainlinkPrice: Stale Chainlink Price" ); require(price > 0, "LBTWAP::getChainlinkPrice: Chainlink Malfunction");
Add a method for removing USDVPair
#0 - jack-the-pug
2022-03-13T07:18:54Z
Dup #104
🌟 Selected for report: TomFrenchBlockchain
gzeon
cycleMints is not checked against dailyLimit if it is the first mint in 24 hours. It allow minting more than dailyLimit which open up opportunity for an attacker to manipulate price, mint a lot of USDV and sell to liquidity pools.
https://github.com/code-423n4/2021-12-vader/blob/9fb7f206eaff1863aeeb8f997e0f21ea74e78b49/contracts/tokens/USDV.sol#L78
There are no check if cycleTimestamp <= block.timestamp
if (cycleTimestamp <= block.timestamp) { cycleTimestamp = block.timestamp + 24 hours; cycleMints = uAmount; } else { cycleMints += uAmount; require( cycleMints <= dailyLimit, "USDV::mint: 24 Hour Limit Reached" ); }
Move the require statement out of the ifelse block
#0 - 0xstormtrooper
2021-12-27T08:30:52Z
#1 - jack-the-pug
2022-03-13T11:24:33Z
Dup #45