Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $50,000 USDC
Total HM: 31
Participants: 99
Period: 5 days
Judges: moose-code, JasoonS, denhampreen
Total Solo HM: 17
Id: 139
League: ETH
Rank: 38/99
Findings: 2
Award: $145.96
🌟 Selected for report: 0
🚀 Solo Findings: 0
.transfer() overrided in Yieldy.sol does return a boolean value representing the status of the current tx. Since though, it needs to be handled properly.
Everything is great, but what if the .transfer() ended up by failing?
warmpUpInfo about the _recipient will be cleared without transfering credits. And the transfer event also will be emitted causing problems off-chain.contracts/Staking.sol
function claim(address _recipient) public { Claim memory info = warmUpInfo[_recipient]; if (_isClaimAvailable(_recipient)) { delete warmUpInfo[_recipient]; if (info.credits > 0) { IYieldy(YIELDY_TOKEN).transfer( _recipient, IYieldy(YIELDY_TOKEN).tokenBalanceForCredits(info.credits) ); } } }
It's really great that you're using safeTransfer for STAKING_TOKEN which checks it underneath, but here, put at least the require statement.
Marked as a medium severity because in this audit from Hacken the similar case was considered as a medium severity.
#0 - toshiSat
2022-06-27T23:21:47Z
duplicate #206
🌟 Selected for report: BowTiedWardens
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xmint, 8olidity, ACai, Bnke0x0, Chom, ElKu, Fabble, Fitraldys, FudgyDRS, Funen, GalloDaSballo, GimelSec, IllIllI, JC, Kaiziron, Lambda, Limbooo, MiloTruck, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RedOneN, Sm4rty, StErMi, TomJ, Tomio, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ajtra, antonttc, asutorufos, bardamu, c3phas, defsec, delfin454000, exd0tpy, fatherOfBlocks, hansfriese, ignacio, joestakey, kenta, ladboy233, m_Rassska, mics, minhquanym, oyc_109, pashov, reassor, robee, s3cunda, sach1r0, saian, sashik_eth, scaraven, sikorico, simon135, slywaters
26.7051 USDC - $26.71
./Staking.sol
- "Invalid address" - "Must enter valid amount" - "Staking is paused" - "Must have valid amount" - "Insufficient Balance" - "Unstaking is paused" - "Not enough funds in reserve" - "Invalid amount" - "Invalid Curve Pool"
./Yieldy.sol
- "Already Initialized" - "Invalid address" - "Can't rebase if not circulating" - "Invalid change in supply" - "Not enough funds" - "Allowance too low" - "Mint to the zero address" - "Max supply" - "Burn from the zero address" - "Not enough balance"
AND OR opcodes cost some gas, it's better to avoid them by simply invoking require statements one by one../Staking.sol
- require( _stakingToken != address(0) && _yieldyToken != address(0) && _tokeToken != address(0) && _tokePool != address(0) && _tokeManager != address(0) && _tokeReward != address(0) && _liquidityReserve != address(0), "Invalid address" );