Platform: Code4rena
Start Date: 14/10/2022
Pot Size: $100,000 USDC
Total HM: 12
Participants: 75
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 171
League: ETH
Rank: 21/75
Findings: 3
Award: $280.79
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: Aymen0909, Dravee, Josiah, M4TZ1P, Mukund, Nyx, SooYa, catchup, cccz, chaduke, csanuragjain, djxploit, hansfriese, ladboy233, leosathya, pashov, rvierdiiev, sorrynotsorry, supernova, vv7, wagmi, zzykxx
0.006 USDC - $0.01
The code in LBFactory.sol to set the flashloan fee is this
function setFlashLoanFee(uint256 _flashLoanFee) external override onlyOwner { uint256 _oldFlashLoanFee = flashLoanFee; if (_oldFlashLoanFee == _flashLoanFee) revert LBFactory__SameFlashLoanFee(_flashLoanFee); flashLoanFee = _flashLoanFee; emit FlashLoanFeeSet(_oldFlashLoanFee, _flashLoanFee); }
So the owner can set any flashloan fee any time, without constraints. A malicious or a compromised owner can front-run any flash loans and just set the fee to a high enough number so it drains more value from a flash loan user than he expects.
This can result in a loss of capital for a flash loan user, but it can only happen if the owner of LBFactory is malicious or compromised, so Medium severity is appropriate.
Add a constraint for setting the flashloan fee, like for example a maximum of 10%, which is 1000 bps.
#0 - GalloDaSballo
2022-10-27T21:15:30Z
#1 - c4-judge
2022-11-23T18:38:06Z
GalloDaSballo marked the issue as not a duplicate
#2 - c4-judge
2022-11-23T18:39:09Z
GalloDaSballo marked the issue as duplicate of #139
#3 - Simon-Busch
2022-12-05T06:32:59Z
Marked this issue as Satisfactory as requested by @GalloDaSballo
0.9728 USDC - $0.97
The swapAVAXForExactTokens function has a built-in mechanism to take more AVAX value in than needed, execute the swap and then return the remaining AVAX. The problem is the returning of the remaining AVAX will always revert because it is coded incorrectly and it is not tested in any unit test
if (msg.value > amountsIn[0]) _safeTransferAVAX(_to, amountsIn[0] - msg.value);
the part amountsIn[0] - msg.value will always revert, because the if statement checks that msg.value is the bigger number.
This will result in an unexpected revert in most of the usages of the method, so even if you put in 1 more wei of AVAX than needed you won’t be able to execute the swap. Unexpected revert or DoS in most usages should be a Medium severity vulnerability.
Change
if (msg.value > amountsIn[0]) _safeTransferAVAX(_to, amountsIn[0] - msg.value);
to
#0 - GalloDaSballo
2022-10-26T18:27:16Z
#1 - GalloDaSballo
2022-11-13T19:54:04Z
L
#2 - c4-judge
2022-11-13T19:54:06Z
#3 - Simon-Busch
2022-11-21T06:21:50Z
Reverted to M as requested by @GalloDaSballo Duplicate of https://github.com/code-423n4/2022-10-traderjoe-findings/issues/469
#4 - Simon-Busch
2022-12-05T06:43:03Z
Marked this issue as satisfactory as requested by @GalloDaSballo
279.8109 USDC - $279.81
LBToken::safeTransferFrom has a not needed variable - _spender it is used only once, so you can just inline it
Scope
address arguments in constructorsMost constructors in the codebase check address arguments for a zero value, but some don’t. Add such checks there.
In LBFactory::_getPackedFeeParameters the NatSpec is incomplete because it is missing the returns part. Add it
address instead of address payable since you are not using send or transferAdding payable to an address variable gives it the ability to call the send and transfer functions of address payable. They are not used in the codebase though so there is no need for the payable keyword there.
Scope
The initialize function in LBPair.sol has the following comment in its NatSpec:
/// It is highly recommended to never call this function directly, use the factory /// as it validates the different parameters
but it also has the onlyFactory modifier, while the comment makes you believe the method can be called from a non-factory address which is wrong. Remove the comment
LBPair::burn has two uint256[] parameters - ids and _amounts and they should be of the same length for the code to work as expected. Add a check that their lengths are the same at the beginning of the method.
public to externalExternal functions use calldata for method arguments, while public functions use memory, so when possible you should use external instead of public to save gas
Scope:
If you use version that is at least 0.8.12 in the codebase you can use  string.concat()
instead of abi.encodePacked() in LBFactory::_getPackedFeeParameters
#0 - GalloDaSballo
2022-11-09T20:17:26Z
R
L
NC
NC
NC
##Â Method does not check if array arguments have the same length R
R
NC
#1 - GalloDaSballo
2022-11-09T20:24:25Z
1L 3R 4NC
#2 - c4-judge
2022-11-16T21:08:24Z
GalloDaSballo marked the issue as grade-b