Malt Finance contest - hagrid's results

Yield farmable, incentive-centric algorithmic stable coin.

General Information

Platform: Code4rena

Start Date: 25/11/2021

Pot Size: $80,000 USDC

Total HM: 35

Participants: 32

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 27

Id: 59

League: ETH

Malt Finance

Findings Distribution

Researcher Performance

Rank: 27/32

Findings: 2

Award: $155.86

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Malt Finance

Findings Information

🌟 Selected for report: defsec

Also found by: hagrid, robee

Labels

bug

duplicate

1 (Low Risk)

Awards

99.3381 USDC - $99.34

External Links

Link to GitHub issue

Handle

hagrid

Vulnerability details

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.

Impact

When using one of these unsupported tokens, all transactions revert and the protocol cannot be used.

Proof of Concept

https://github.com/code-423n4/2021-11-malt/blob/d3f6a57ba6694b47389b16d9d0a36a956c5e6a94/src/contracts/StabilizerNode.sol#L112

https://github.com/code-423n4/2021-11-malt/blob/d3f6a57ba6694b47389b16d9d0a36a956c5e6a94/src/contracts/StabilizerNode.sol#L252

Tools Used

Manual analysis

Recommended Mitigation Steps

Safeapprove with a zero amount first before setting the actual amount.

#0 - 0xScotch
2021-12-08T16:22:05Z

#41

#1 - GalloDaSballo
2022-01-24T00:57:28Z

Duplicate of #41

Findings Information

🌟 Selected for report: hagrid

Labels

bug

G (Gas Optimization)

sponsor disputed

Awards

56.5245 USDC - $56.52

External Links

Link to GitHub issue

Handle

hagrid

Vulnerability details

The withdraw(uint256 rewardAmount) function on the AbstractRewardMine contract is wrongly controlling the reward amount.

Impact

Using the withdraw function instead of withdrawAll function will cost nearly same gas amount since these functions are nearly identical.

Proof of Concept

Tools Used

Manual Review

Recommended Mitigation Steps

require(rewardAmount <= rewardEarned, "< earned"); The require function above should be replaced with: require(rewardAmount < rewardEarned, "< earned");

Else, both withdraw functions will be nearly identical.

#0 - GalloDaSballo
2022-01-01T15:54:37Z

I agree with the warden that withdrawAll is basically the same as withdraw withdraw could be made public and reused in withdrawAll

Malt Finance contest - hagrid's results

Yield farmable, incentive-centric algorithmic stable coin.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $99.34

Gas Report - $56.52

QA Report - $99.34

Gas Report - $56.52

[L-10] Reward Token should be approved for address `0` for USDT-kind tokens. - $99.34

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - 0xScotch2021-12-08T16:22:05Z

#1 - GalloDaSballo2022-01-24T00:57:28Z

🚀 [G-37] Invalid equation check on `require` - $56.52

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - GalloDaSballo2022-01-01T15:54:37Z

#0 - 0xScotch
2021-12-08T16:22:05Z

#1 - GalloDaSballo
2022-01-24T00:57:28Z

#0 - GalloDaSballo
2022-01-01T15:54:37Z