Platform: Code4rena
Start Date: 09/09/2021
Pot Size: $60,000 USDC
Total HM: 24
Participants: 12
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 14
Id: 30
League: ETH
Rank: 9/12
Findings: 3
Award: $624.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
itsmeSTYJ
If the strategy used accepts multiple tokens, a user can deposit in a cheaper token and withdraw in a more expensive token because the vault only tracks ownership based on how many shares they own.
Instead of relying on shares to keep track of ownership, the vault should also track the deposits at the token level and only allow users to withdraw the tokens that they deposited.
#0 - transferAndCall
2021-09-13T13:03:02Z
This seems to me as a duplicate of https://github.com/code-423n4/2021-09-yaxis-findings/issues/2
#1 - gpersoon
2021-09-30T11:52:12Z
I think this is also related to the underlying problem that all coins are assumed to have the same value. See also #2, #8, #9 and #158
#2 - GalloDaSballo
2021-10-14T16:58:16Z
Duplicate of #2
6.7734 YAXIS - $26.42
itsmeSTYJ
Gas optimization
Instead of looping all accepted strategies for a given vault, you should have a separate mapping from strategies → vault → addresses → index to track the index of strategy inside the strategies mapping. In fact, an address → index mapping should suffice if the strategies are unique to each vault.
#0 - uN2RVw5q
2021-10-03T15:12:29Z
Almost the same as https://github.com/code-423n4/2021-09-yaxis-findings/issues/12. Can be combined, but keeping them separate should also work.
#1 - GalloDaSballo
2021-10-12T23:00:44Z
Duplicate of #116
6.7734 YAXIS - $26.42
itsmeSTYJ
Gas optimization
Instead of looping all accepted tokens for given vault, you should have a separate mapping from vault → token → index to track the index of token inside the tokens mapping.
#0 - GalloDaSballo
2021-10-12T22:59:12Z
Duplicate of #116
20.9319 YAXIS - $81.63
itsmeSTYJ
It might allow users to withdraw more than what they put in or not withdraw everything they put in.
How to withdraw more than what you put in
#0 - Haz077
2021-09-18T11:26:13Z
I don't think there is something that can be done in the contracts about that
#1 - transferAndCall
2021-09-18T12:58:34Z
Agreed. This is for governance to catch, not contract code.
#2 - GalloDaSballo
2021-10-12T23:21:13Z
Given the context of the feeOnTransfer token vulnerability, I believe this finding to be correct, and will maintain it's low risk due to incompleteness
#3 - GalloDaSballo
2021-10-13T23:34:01Z
Duplicate of #62