Platform: Code4rena
Start Date: 23/05/2022
Pot Size: $75,000 USDC
Total HM: 23
Participants: 75
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 13
Id: 130
League: ETH
Rank: 24/75
Findings: 2
Award: $294.83
π Selected for report: 0
π Solo Findings: 0
π Selected for report: 0xf15ers
Also found by: 0x52, Ruhum, WatchPug, berndartmueller, cccz, horsefacts, hyh, minhquanym, pauliax
In Bribe.notifyRewardAmount() function, everyone can call this function with trash token. And rewards list has a limit MAX_REWARD_TOKENS.
So anyone can spam to add any number of token to rewards list, making itβs full and impossible to add more bribe token.
MAX_REWARD_TOKENS trash ERC20 tokennotifyRewardAmount() with each deployed token.addRewardToken() or notifyRewardAmount(), it will revert because rewards list is full.require(rewards.length < MAX_REWARD_TOKENS, "too many rewards tokens");
Manual Review
Add check for only gauge can call notifyRewardAmount()
require(msg.sender == gauge);
#0 - pooltypes
2022-06-13T15:52:21Z
Duplicate of #182
#1 - GalloDaSballo
2022-06-28T23:19:43Z
Dup of #182
π Selected for report: IllIllI
Also found by: 0x1f8b, 0x52, 0xNazgul, 0xNineDec, AlleyCat, BouSalman, CertoraInc, Chom, Dravee, Funen, GimelSec, Hawkeye, MaratCerby, Nethermind, Picodes, RoiEvenHaim, SooYa, TerrierLover, WatchPug, _Adam, asutorufos, berndartmueller, c3phas, catchup, cccz, cryptphi, csanuragjain, delfin454000, djxploit, fatherOfBlocks, gzeon, hake, hansfriese, horsefacts, hyh, jayjonah8, minhquanym, oyc_109, p_crypt0, pauliax, robee, rotcivegaf, sach1r0, sashik_eth, simon135, sorrynotsorry, teddav, unforgiven, xiaoming90
219.5881 USDC - $219.59
In Minter contract, MAX_TEAM_RATE = 50 and PRECISION = 1000, so itβs 5%. But in the comment same line, it says 50bps = 0.05%.
Also in Minter.constructor(), teamRate is set to 30 and comment says 30bps = 0.03%. But actually itβs 3%
Manual Review
Change the code or document to match
In Voter.reviveGauge(), any address can be passed in as _gauge param and set to isAlive[_gauge] = true even when that address is not a gauge.
Manual Review
Should add check if that address is a gauge
require(isGauge[_gauge]);
There is a mapping to check if a token is existed in rewards list or not isReward[token]. But in swapOutRewardToken() function, there is no check using isReward.
An existing token can be passed in as newToken and rewards list will have a duplicated token.
rewards = [USDT, DAI, UST]swapOutRewardToken(2, UST, USDT). Because we do not check if USDT is already in the list. The TX will not revert. New list rewards isrewards = [USDT, DAI, USDT]
Token USDT appears 2 times in the list.Manual Review
Check if newToken is in the list or not
require(!isReward[newToken]);
#0 - GalloDaSballo
2022-07-02T00:44:23Z
Valid Low
Non-Critical because of the open-ended design
Valid Low
Nice short report 2 Low, 1 NC