Platform: Code4rena
Start Date: 06/01/2022
Pot Size: $60,000 USDC
Total HM: 20
Participants: 33
Period: 7 days
Judge: LSDan
Total Solo HM: 9
Id: 67
League: ETH
Rank: 17/33
Findings: 2
Award: $680.56
🌟 Selected for report: 1
🚀 Solo Findings: 0
hyh
Sandwich attack is possible: an attacker can track market order and perform it whenever order amount to be executed is big enough to compensate for exchange manipulation costs. On Curve it is less profitable and this way less probable due to low slippage, but the possibility exists.
No minimum return is used when Curve is called to do the UST swaps:
doHardWork -> _swapUnderlyingToUst use 0 as min accepted return:
finishRedeemStable ->_swapUstToUnderlying also use 0 as min return:
Add a slippage argument to doHardWork and finishRedeemStable functions and supply minimum accepted return to Curve instead of hard coded 0
#0 - naps62
2022-01-11T18:44:40Z
duplicate of #7
🌟 Selected for report: hyh
590.4972 USDC - $590.50
hyh
underlying() function description repeats minLockPeriod()’s one:
Set it to same line as is used in Vault, ‘Underlying ERC20 token accepted by the vault':
https://github.com/code-423n4/2022-01-sandclock/blob/main/sandclock/contracts/Vault.sol#L48
#0 - r2moon
2022-01-11T15:54:59Z
I agree with this issue, but it is not an risk.
#1 - dmvt
2022-01-28T20:12:32Z
No assets at risk, but it is an issue with a comment.
1 — Low: Low: Assets are not at risk. State handling, function incorrect as to spec, issues with comments.
#2 - naps62
2022-02-16T15:51:45Z
already fixed