Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 14/125
Findings: 4
Award: $300.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: SpicyMeatball
Also found by: 0xComfyCat, GREY-HAWK-REACH, Yanchuan, cducrest, immeas, kaden, mert_eren, nonseodion, pep7siup, popular00, ppetrov
143.0396 USDC - $143.04
Lending lenger give reward tokens to users if they lend their tokens to selected pools. Lendingledger give rewards as weekly and it records user's balance until end of the week(espacially thursday because 1 jan 1970 was thursday). But protocol records can be any record in the week anyvalue, protocol just look at the latest updated value in this week . In short a user can withdraw his tokens after thursday but if he stake his token before next thursday 00.00 he will benefit from tokens like stake tokens all week.
https://imgur.com/a/qIrEoOa pls paste this test to lendingLEdgerTest.sol and it can be seen that a malicious user can take same reward like all time staker when just stake his token just for two block time.
Invalid Validation
#0 - c4-pre-sort
2023-08-13T07:14:50Z
141345 marked the issue as duplicate of #71
#1 - c4-judge
2023-08-25T11:00:07Z
alcueca changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-08-25T11:01:29Z
alcueca changed the severity to 3 (High Risk)
#3 - c4-judge
2023-08-25T11:02:46Z
alcueca marked the issue as partial-50
#4 - c4-judge
2023-08-31T16:54:23Z
alcueca marked the issue as satisfactory
🌟 Selected for report: 0x73696d616f
Also found by: 0xCiphky, 0xComfyCat, 0xDetermination, GREY-HAWK-REACH, QiuhaoLi, SpicyMeatball, Team_Rocket, Tricko, Yanchuan, deadrxsezzz, immeas, kaden, lanrebayode77, ltyu, mert_eren, nonseodion, oakcobalt, popular00, th13vn
36.9443 USDC - $36.94
https://github.com/code-423n4/2023-08-verwa/blob/498a3004d577c8c5d0c71bff99ea3a7907b5ec23/src/VotingEscrow.sol#L390-L409 https://github.com/code-423n4/2023-08-verwa/blob/498a3004d577c8c5d0c71bff99ea3a7907b5ec23/src/GaugeController.sol#L215-L220
When vote_for_gauge_weights() used contract just take info of users slope of exact time. And there is no extra check mechanism in protocol for control is user's delegate amount (so slope too) until user use vote_for_gauge_weights(). So a user can use vote_for_gauge_weights for one account than delegate another contract to his vote power in voteEscrow and use vote_for_gauge_weights() again (he can use this exploit as much as he want) so he can manipulate vote power as a sybil attack.
https://imgur.com/a/WEuU1RN pls paste this test to gaugeControllertest.sol and it can be seen that how significantly increased of gauge1 by sybil attack.
Use vote_for_gauge_weights() in voteescrow for msg.sender when delegate function used.
Governance
#0 - c4-pre-sort
2023-08-13T07:08:30Z
141345 marked the issue as duplicate of #45
#1 - c4-pre-sort
2023-08-13T13:17:08Z
141345 marked the issue as duplicate of #99
#2 - c4-pre-sort
2023-08-13T17:09:26Z
141345 marked the issue as duplicate of #178
#3 - c4-pre-sort
2023-08-13T17:39:55Z
141345 marked the issue as not a duplicate
#4 - c4-pre-sort
2023-08-13T17:40:06Z
141345 marked the issue as duplicate of #86
#5 - c4-judge
2023-08-25T10:51:22Z
alcueca changed the severity to 2 (Med Risk)
#6 - c4-judge
2023-08-25T10:51:34Z
alcueca changed the severity to 3 (High Risk)
#7 - c4-judge
2023-08-25T10:53:48Z
alcueca marked the issue as partial-50
#8 - c4-judge
2023-08-31T16:54:09Z
alcueca marked the issue as satisfactory
🌟 Selected for report: ltyu
Also found by: 0xDING99YA, 3docSec, KmanOfficial, MrPotatoMagic, RED-LOTUS-REACH, Tendency, Yuki, bart1e, bin2chen, carrotsmuggler, cducrest, kaden, mert_eren, pep7siup, popular00, qpzm, seerether, zhaojie
21.6049 USDC - $21.60
https://github.com/code-423n4/2023-08-verwa/blob/498a3004d577c8c5d0c71bff99ea3a7907b5ec23/src/VotingEscrow.sol#L331 https://github.com/code-423n4/2023-08-verwa/blob/498a3004d577c8c5d0c71bff99ea3a7907b5ec23/src/VotingEscrow.sol#L383
tokens will be stuck forever if user's locktime expired when his delegatee someone differant than him. Because he cannot withdraw his money also he cannot delegate himself too because his lock expired.Also he cannot use increaseamount for lockexpired and createLock too due to lock.amount>0. so his tokens will be stuck forever.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Can be add extra function for delegate himself when lock.expired and making special checkpoint station can be good.
DoS
#0 - c4-pre-sort
2023-08-11T11:55:09Z
141345 marked the issue as duplicate of #223
#1 - c4-pre-sort
2023-08-13T12:00:47Z
141345 marked the issue as duplicate of #112
#2 - c4-judge
2023-08-24T07:16:16Z
alcueca marked the issue as duplicate of #82
#3 - c4-judge
2023-08-24T07:20:39Z
alcueca changed the severity to 2 (Med Risk)
#4 - c4-judge
2023-08-24T07:24:02Z
alcueca marked the issue as satisfactory
#5 - c4-judge
2023-08-24T07:24:07Z
alcueca marked the issue as partial-50
#6 - c4-pre-sort
2023-08-24T08:20:17Z
141345 marked the issue as not a duplicate
#7 - c4-pre-sort
2023-08-24T08:20:26Z
141345 marked the issue as not a duplicate
#8 - c4-pre-sort
2023-08-24T08:23:10Z
141345 marked the issue as duplicate of #211
#9 - c4-judge
2023-08-24T21:15:40Z
alcueca marked the issue as partial-50
#10 - c4-judge
2023-08-26T21:24:28Z
alcueca changed the severity to 3 (High Risk)
🌟 Selected for report: thekmj
Also found by: 0xCiphky, 0xDetermination, 0xbrett8571, Eeyore, Team_Rocket, Tripathi, bart1e, deadrxsezzz, immeas, ltyu, mert_eren, pep7siup, popular00
99.3104 USDC - $99.31
https://github.com/code-423n4/2023-08-verwa/blob/498a3004d577c8c5d0c71bff99ea3a7907b5ec23/src/GaugeController.sol#L210-L213 https://github.com/code-423n4/2023-08-verwa/blob/498a3004d577c8c5d0c71bff99ea3a7907b5ec23/src/GaugeController.sol#L127-L130
When gov use removeGauge gauge's power changed to the 0, however there is no reset for user votePower which stored in vote_user_power mapping. Because of that users will lose their voting power. For example if a user give his 1000 votingPower to removedGauge before removed.His votingpower reduced to 9000(normally everyone's is 10000).Also he cannot decreased votingpower for removedGauge because there is no chance to use vote_user_power for removed gauge.( vote_user_power is the only function for reduce of user's vote power to gauge.)
https://imgur.com/a/sRgCApg pls paste this test to gaugeControllerTest.sol and from test it can be seen that user cannot take his voting power back and his votingPower stuck for nothing
Invalid Validation
#0 - c4-pre-sort
2023-08-12T15:17:06Z
141345 marked the issue as duplicate of #62
#1 - c4-judge
2023-08-25T11:09:57Z
alcueca marked the issue as partial-50
#2 - c4-judge
2023-08-25T22:43:22Z
alcueca changed the severity to 2 (Med Risk)
#3 - c4-judge
2023-08-25T22:43:36Z
alcueca changed the severity to 3 (High Risk)
#4 - c4-judge
2023-08-31T16:54:58Z
alcueca marked the issue as satisfactory