Platform: Code4rena
Start Date: 29/03/2022
Pot Size: $50,000 USDC
Total HM: 16
Participants: 42
Period: 5 days
Judge: 0xean
Total Solo HM: 9
Id: 105
League: ETH
Rank: 3/42
Findings: 2
Award: $4,151.74
🌟 Selected for report: 2
🚀 Solo Findings: 2
🌟 Selected for report: leastwood
2075.8711 USDC - $2,075.87
https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/HolyPaladinToken.sol#L1338-L1378
https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/HolyPaladinToken.sol#L876-L906
The emergencyWithdraw() function intends to withdraw their tokens regardless if they are locked up for any duration. This emergency must be triggered by the owner of the contract by calling triggerEmergencyWithdraw(). A number of functions will revert when the protocol is in an emergency state, including all stake, lock, unlock and kick actions and the updating of a user's rewards. However, a user could bypass the restriction on _updateUserRewards() by transferring a small amount of unlocked tokens to their account. _beforeTokenTransfer() will call _updateUserRewards() on the from and to accounts. As a result, users can continue to accrue rewards while the protocol is in an emergency state and it makes sense for users to delay their emergency withdraw as they will be able to claim a higher proportion of the allocated rewards.
Consider adding a check for the boolean emergency value in _beforeTokenTransfer() to not call _updateUserRewards on any account if this value is set. Alternatively, a check could be added into the _updateUserRewards() function to return if emergency is true.
#0 - itsmetechjay
2022-04-04T14:33:43Z
Leastwood provided this information to me via DM as he had issues with the website upon submission and Sock told him that I would handle the submissions on his behalf.
#1 - Kogaroshi
2022-04-05T07:54:45Z
Changes made in the commit: https://github.com/PaladinFinance/Paladin-Tokenomics/pull/6/commits/ce9a4e25502dd13fee015800f0e538c1be5612f9 (made in this PR so we can use Custom Errors directly)
🌟 Selected for report: leastwood
2075.8711 USDC - $2,075.87
https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/HolyPaladinToken.sol#L284-L294
https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/HolyPaladinToken.sol#L1137-L1233
Paladin protocol allows users to increase the amount or duration of their lock while it is stil active. Increasing the amount of an active lock should only increase the total locked amount and it shouldn't make any changes to the associated bonus ratios as the duration remains unchanged.
However, if a user increases the lock amount on an expired lock, a new lock will be created with the duration of the previous lock and the provided non-zero amount. Because the action != LockAction.INCREASE_AMOUNT check later on in the function does not hold true, userCurrentBonusRatio will contain the last updated value from the previous lock. As a result, the user will not receive any rewards for their active lock and they will need to increase the duration of the lock to fix lock's bonus ratio.
Consider preventing users from increasing the amount on an expired lock. This should help to mitigate this issue.
#0 - itsmetechjay
2022-04-04T14:39:49Z
Leastwood provided this information to me via DM as he had issues with the website upon submission and Sock told him that I would handle the submissions on his behalf.
#1 - Kogaroshi
2022-04-05T08:06:48Z
Changes made in this commit: https://github.com/PaladinFinance/Paladin-Tokenomics/pull/6/commits/b9f7ece48abaf306b81a94891807de18992d516c (made in the PR to use the Custom Errors directly)