Platform: Code4rena
Start Date: 15/06/2022
Pot Size: $30,000 USDC
Total HM: 5
Participants: 55
Period: 3 days
Judge: Jack the Pug
Id: 138
League: ETH
Rank: 12/55
Findings: 2
Award: $286.30
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Picodes
Also found by: 0x1f8b, 0x52, Chom, GimelSec, IllIllI, berndartmueller, cccz, defsec, georgypetrov, hyh, kenzo, minhquanym, oyc_109, scaraven, unforgiven
50.7077 USDC - $50.71
https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L249 https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L275
The harvest function executes swaps without minimum amount out specified.
MEV searchers can sandwich harvest calls to an unlimited degree, thereby making Badger get less funds than it deserves.
The _harvest function executes swaps without specifiying minAmountOut:
uint256 balEthBptEarned = BALANCER_VAULT.swap(singleSwap, fundManagement, 0, type(uint256).max);
The third parameter, 0 is the minAmountOut - see in Balancer documentation.
And similarly here:
harvested[0].amount = BALANCER_VAULT.swap(singleSwap, fundManagement, 0, type(uint256).max);
Before executing the harvest transaction, query balancer for the expected amount out - see here for Balancer guide on how to do so. Then, pass this amount to the harvest function, and check that the slippage is whatever percentage is acceptable for you.
#0 - GalloDaSballo
2022-06-18T15:52:57Z
We use flashbots
#1 - KenzoAgada
2022-06-22T10:22:05Z
Duplicate of #155
🌟 Selected for report: scaraven
Also found by: GimelSec, berndartmueller, cccz, dipp, kenzo, kirk-baird, unforgiven
235.5937 USDC - $235.59
https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L428
_sendBadgerToTree will send BADGER twice and therefore fail.
It is sending it to the BADGER_TREE in _sendBadgerToTree, and then continues to send the same amount to the vault in _processExtraToken.
BADGER rewards cannot be claimed. The contract is trying to send same amount twice - therefore the second transfer will fail. (Unless there is extra BADGER in the contract, in which case there will be accounting errors.)
This is _sendBadgerToTree:
function _sendBadgerToTree(uint256 amount) internal { IERC20Upgradeable(BADGER).safeTransfer(BADGER_TREE, amount); _processExtraToken(address(BADGER), amount); }
And this is BaseStrategy's _processExtraToken:
function _processExtraToken(address _token, uint256 _amount) internal { require(_token != want, "Not want, use _reportToVault"); require(_token != address(0), "Address 0"); require(_amount != 0, "Amount 0"); IERC20Upgradeable(_token).safeTransfer(vault, _amount); IVault(vault).reportAdditionalToken(_token); }
As we can see in the safeTransfer lines of the two functions, the BADGER amount is being sent in _sendBadgerToTree to BADGER_TREE and then it is being sent in _processExtraToken to the vault.
I am not sure, but to my understanding you don't need to call _processExtraToken in _sendBadgerToTree, but only call IVault(vault).reportAdditionalToken(_token).
#0 - GalloDaSballo
2022-06-18T15:38:18Z
Dup of #2