Platform: Code4rena
Start Date: 17/02/2022
Pot Size: $75,000 USDC
Total HM: 20
Participants: 39
Period: 7 days
Judges: moose-code, JasoonS
Total Solo HM: 13
Id: 89
League: ETH
Rank: 35/39
Findings: 1
Award: $142.32
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: defsec
Also found by: 0v3rf10w, 0x0x0x, 0x1f8b, 0xwags, CertoraInc, Dravee, IllIllI, Meta0xNull, Nikolay, Omik, WatchPug, bobi, cccz, csanuragjain, danb, gzeon, hubble, hyh, itsmeSTYJ, jayjonah8, kenta, kirk-baird, leastwood, pauliax, peritoflores, rfa, robee, sorrynotsorry, ye0lde
142.3223 USDC - $142.32
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/VUSD.sol#L48 https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/VUSD.sol#L43
In VUSD.sol the mintWithReserve() and withdraw() functions both handle minting and burning of the vusd tokens. Both of these function don't require that the amount passed in is larger than 0 while still emitting an event through the open zepellin erc20 library. Leaving out this check can trick the protocol into thinking that funds were minted or burned when in fact they were not. This is especially important if the protocol will ever be relying on these events to make important decisions in the code.
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/VUSD.sol#L48
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/VUSD.sol#L43
Manual code review
add to mintWithReserve() and withdraw() functions in VUSD.sol: require(amount > 0, "Amount cannot be 0");
#0 - atvanguard
2022-02-24T08:24:56Z
Duplicate of #119
#1 - moose-code
2022-03-06T15:37:08Z
Not agreeing its a duplicate of #119 as it doesn't talk about ddos. Making this low.
#2 - JeeberC4
2022-03-24T20:41:33Z
Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency. The original title, for the record, was VUSD.sol functions don't check if amount > 0