Platform: Code4rena
Start Date: 13/05/2022
Pot Size: $30,000 USDC
Total HM: 8
Participants: 65
Period: 3 days
Judge: hickuphh3
Total Solo HM: 1
Id: 125
League: ETH
Rank: 33/65
Findings: 2
Award: $69.55
π Selected for report: 0
π Solo Findings: 0
π Selected for report: pedroais
Also found by: 0x4non, 0x52, 0xf15ers, 0xliumin, CertoraInc, Dravee, GimelSec, IllIllI, MaratCerby, StErMi, TerrierLover, WatchPug, berndartmueller, cccz, dipp, fatherOfBlocks, hake, hickuphh3, hyh, isamjay, mtz, oyc_109, p4st13r4, peritoflores, rotcivegaf, saian, simon135, sorrynotsorry, sseefried, tabish, z3s
14.8433 USDC - $14.84
https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/LidoVault.sol#L142
Affected code: https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/LidoVault.sol#L142
In LidoVault.sol, _withdrawFromYieldPool() transfers the collateral back to the user, but it does not check that the transfer was successful:
// send ETH to user (bool sent, bytes memory data) = address(_to).call{value: receivedETHAmount}(''); return receivedETHAmount; require(sent, Errors.VT_COLLATERAL_WITHDRAW_INVALID);
Editor
The return statement should be moved down, and the require(sent)should be called right after the .call().
#0 - sforman2000
2022-05-18T03:11:03Z
π Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xf15ers, 0xkatana, 0xliumin, AlleyCat, BouSalman, Dravee, Funen, GimelSec, Hawkeye, MaratCerby, Picodes, StErMi, TerrierLover, WatchPug, Waze, berndartmueller, bobirichman, cryptphi, csanuragjain, defsec, delfin454000, dipp, fatherOfBlocks, hake, hickuphh3, hyh, joestakey, kebabsec, mics, mtz, oyc_109, p4st13r4, p_crypt0, robee, rotcivegaf, sikorico, simon135, sorrynotsorry, tintin
54.7123 USDC - $54.71
GeneralVault.sol, ETH address is misleadingIn the GeneralVault contract there is a constant, ETH, set to a magic value: https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/GeneralVault.sol#L47
This is deceiving because no-one is actually using that constant, and in the concrete vaults that deal with eth (like the LIDO one), address(0) is used to represent user making deposits in eth: https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/LidoVault.sol#L86
Thus we suggest removing that constant because is useless and possibly deceiving for a reader
saveApprove() deprecated functionThe usage of OZ safeApprove() is deprecated as described in the latest OZ implementation: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/bfff03c0d2a59bcd8e2ead1da9aed9edf0080d05/contracts/token/ERC20/utils/SafeERC20.sol#L38-L45
Itβs currently used 3 times throughout the codebase, and it should be replaced with safeIncreaseAllowance() and safeDecreaseAllowance()
#0 - HickupHH3
2022-06-06T05:06:39Z
Both are low issues.
#1 - iris112
2022-06-09T15:42:02Z
L-01, We are using the ETH constant for uniswap.
#2 - HickupHH3
2022-06-10T05:38:08Z
Yes, that's not the issue. What is, is the inconsistency of ETH representation. I suggest using the same ETH constant in the LIDO vault to represent ETH deposits instead of the the zero address