Platform: Code4rena
Start Date: 08/07/2021
Pot Size: $50,000 USDC
Total HM: 7
Participants: 13
Period: 7 days
Judge: ghoulsol
Total Solo HM: 5
Id: 18
League: ETH
Rank: 11/13
Findings: 3
Award: $429.51
🌟 Selected for report: 1
🚀 Solo Findings: 0
360.7268 USDC - $360.73
jonah1005
A non standard erc20 token would always raise error when calling _safeTransferFrom. If a user creates a USDT/DAI pool and deposit into the pool he would find out there's never a counterpart deposit.
TransferHelper does not uses SafeERC20 library as the function name implies.
A sample POC: script:
usdt.functions.approve(lending_pair.address, deposit_amount).transact({'from': w3.eth.accounts[0]}) lending_pair.functions.deposit(w3.eth.accounts[0], usdt.address, deposit_amount).transact({'from': w3.eth.accounts[0]})
Error Message:
Error: Transaction reverted: function returned an unexpected amount of data at LendingPair._safeTransferFrom (contracts/TransferHelper.sol:20) at LendingPair.deposit (contracts/LendingPair.sol:95)
Hardhat
Uses openzeppelin SafeERC20 in transfer helper (and any other contract that uses IERC20).
#0 - ghoul-sol
2021-08-01T20:58:09Z
This can effect deposits so it's a medium risk.
41.0609 USDC - $41.06
jonah1005
Checking amount > 0 after external call would cost users extra gas.
Checking amount > 0 after external call would cost users extra gas.
None
moves require(_amount > 0, "TransferHelper: amount must be > 0"); before calling transferFrom.
#0 - talegift
2021-07-15T07:18:58Z
#56
27.7161 USDC - $27.72
jonah1005
In function withdrawBorrowETH of LendingPair.sol
_checkMinReserve is called in function _wethWithdrawTo. Calling it again right after _wethWithdrawTo is unnecesssary.
withdrawBorrowETH: https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L111
_wethWithdrawTo: https://github.com/code-423n4/2021-07-wildcredit/blob/82c48d73fd27a9d4d5d4a395b3affcef4ef6c5c8/contracts/LendingPair.sol#L110
withdrawBorrowETH#0 - talegift
2021-07-14T09:20:11Z
#26