Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $50,000 USDC
Total HM: 31
Participants: 99
Period: 5 days
Judges: moose-code, JasoonS, denhampreen
Total Solo HM: 17
Id: 139
League: ETH
Rank: 29/99
Findings: 3
Award: $331.58
🌟 Selected for report: 0
🚀 Solo Findings: 0
119.2495 USDC - $119.25
Yieldy.transferFrom() returns false on failure instead of reverting.
This might lead to moveFundsToUpgradedContract() incorrectly unstaking and restaking tokens, potentially causing user or Migration.sol to lose funds depending on NEW_CONTRACT and OLD_CONTRACT implementations.
IYieldy(OLD_YIELDY_TOKEN).transferFrom( msg.sender, address(this), userWalletBalance );
No check for boolean return value from transferFrom()
Manual Review
Implement a check on the return value of transferFrom().
#0 - toshiSat
2022-06-27T21:31:42Z
sponsor confirmed
#1 - 0xean
2022-08-05T22:56:01Z
This is incorrect, the yieldy transfer call definitely reverts if it fails.
Take a look at the solidity compiler version.
#2 - toshiSat
2022-08-08T13:49:45Z
I still think it will be good to explicitly check this instead of relying on the compiler version to make it more future proof (even though it most likely won't be affected).
🌟 Selected for report: unforgiven
Also found by: IllIllI, TrungOre, asutorufos, hake, robee
stake() will revert for tokens that charge a fee on transfer.
Note: POC below assumes tokePoolContract.deposit(_amount) transfers part of Staking.sol balance to tokePoolContract.
stake() uses the _amount as a reference for _depositToTokemak() and assumes the amount received is equal to _amount.
However, with fee on transfer tokens the amount received by Staking.sol will be inferior to _amount due to the fee charged on transfer by the token.
Manual Review
Check the difference between the before and after balance to ensure amount used to deposit is equal to the amount Staking.sol has received.
#0 - toshiSat
2022-06-27T21:28:42Z
duplicate #222
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, FudgyDRS, Funen, GalloDaSballo, GimelSec, JC, Kaiziron, Lambda, Limbooo, Metatron, MiloTruck, Noah3o6, Picodes, PumpkingWok, PwnedNoMore, Sm4rty, StErMi, TomJ, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ak1, antonttc, berndartmueller, cccz, cryptphi, csanuragjain, defsec, delfin454000, dipp, elprofesor, exd0tpy, fatherOfBlocks, hake, hansfriese, hubble, joestakey, kenta, ladboy233, mics, oyc_109, pashov, pedr02b2, reassor, robee, samruna, scaraven, shung, sikorico, simon135, sseefried, tchkvsky, unforgiven, zzzitron
53.3348 USDC - $53.33
I recommend using safeIncreaseAllowance() from OpenZeppelin.
@ notice remove address to contracts array
Change to: remove address from contracts array https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/BatchRequests.sol#L86
using the word enable in enableLiquidityReserve() implies it can be disabled. I suggest changing the word "enable" to "init" stemming from initialise.
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L57