Platform: Code4rena
Start Date: 16/11/2021
Pot Size: $30,000 USDC
Total HM: 3
Participants: 18
Period: 3 days
Judge: leastwood
Total Solo HM: 2
Id: 56
League: ETH
Rank: 8/18
Findings: 2
Award: $365.69
🌟 Selected for report: 0
🚀 Solo Findings: 0
hickuphh3
There are 2 cases that can lead to permanently locked funds.
Should the adapter be deployed with the admin specified as an address that isn't the Alchemist contract, deposits through the Alchemist contract will work, but withdrawals will revert.
A user (non-admin) that chooses to deposit into the yAxis vault directly through the adapter will be unable to withdraw his funds.
deposit() should have the onlyAdmin modifier as well.
function deposit(uint256 _amount) external override onlyAdmin { vault.deposit(_amount); }
#0 - Xuefeng-Zhu
2021-12-09T06:57:51Z
only AlchemyVault will use this function
#1 - Xuefeng-Zhu
2021-12-09T07:03:58Z
21.2967 USDC - $21.30
hickuphh3
FixedPointMath is imported, but isn't used by the adapter and is therefore redundant.
The import can be removed.
import {FixedPointMath} from '../libraries/FixedPointMath.sol';
#0 - Xuefeng-Zhu
2021-12-09T06:43:02Z
hickuphh3
The vault, admin and vault's token variables can be made immutable. The constructor method will have to be modified to workaround the limitation of being unable to read immutable variables during contract creation time, but it will be worthwhile to do so for the gas savings made.
/// @dev The vault that the adapter is wrapping. IVault public immutable vault; /// @dev The address which has admin control over this contract. address public immutable admin; IDetailedERC20 public immutable token; constructor(IVault _vault, address _admin) public { vault = _vault; admin = _admin; IDetailedERC20 _token = IDetailedERC20(_vault.getToken()); token = _token; _token.safeApprove(address(_vault), uint256(-1)); } // token() view function becomes redundant // function token() external view override returns (IDetailedERC20) { // return IDetailedERC20(vault.getToken()); // } function withdraw(address _recipient, uint256 _amount) external override onlyAdmin { vault.withdraw(_tokensToShares(_amount)); token.safeTransfer(_recipient, _amount); } /// @dev Updates the vaults approval of the token to be the maximum value. function updateApproval() external { token.safeApprove(address(vault), uint256(-1)); }
#0 - Xuefeng-Zhu
2021-12-09T06:45:13Z