Yield-Convex contest - pants's results

There are no loops at those addresses, and addRewards adds rewards that have been added to the staking pool, not at the user's will.

Actually, this is a real vulnerability. I wouldn't say that it is a Sev 3 because funds won't be at risk until rewards are added into the staking pool, and then it would be a DoS, not an asset loss. In my mind that's a Medium downgraded to Low because of the conditionant.

Upon further inspection, the startIndex is set to equal the length of the rewards array before adding any new rewards. This means that the rewards array in the wrapper can only grow to the size of the rewards array in the pool.

https://github.com/code-423n4/2022-01-yield/blob/e946f40239b33812e54fafc700eb2298df1a2579/contracts/ConvexStakingWrapper.sol#L114

Anytime there's a loop where the input comes from an external source there's the possibility of unbounded looping.

The DOS can factually happen, specifically here: https://github.com/code-423n4/2022-01-yield/blob/e946f40239b33812e54fafc700eb2298df1a2579/contracts/ConvexStakingWrapper.sol#L286

Which can prevent from claiming rewards.

This can happen exclusively if the Convex Team adds thousands of additional rewards to their staking pool, while this can happen and the DOS can happen, I believe the likelihood to be minimal.

Given that the risk is loss of rewards, I believe the finding should be downgraded to medium Given the extreme unlikelihood that there will ever be thousands of additional rewards, I believe low severity to be more appropriate.

Agree, thank you.