Platform: Code4rena
Start Date: 07/04/2022
Pot Size: $100,000 USDC
Total HM: 20
Participants: 62
Period: 7 days
Judge: LSDan
Total Solo HM: 11
Id: 107
League: ETH
Rank: 45/62
Findings: 1
Award: $151.51
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Dravee
Also found by: 0x1f8b, 0xDjango, 0xkatana, AuditsAreUS, Cityscape, Foundation, Funen, Hawkeye, IllIllI, JC, JMukesh, Jujic, Kthere, PPrieditis, Picodes, Ruhum, TerrierLover, TrungOre, WatchPug, berndartmueller, catchup, cccz, cmichel, delfin454000, dy, ellahi, hickuphh3, horsefacts, hubble, hyh, ilan, jayjonah8, kebabsec, kenta, minhquanym, pauliax, rayn, reassor, rfa, robee, samruna
151.5077 USDC - $151.51
In LPFarming if the owner invokes setContractWhitelisted to false for a previously whitelisted contract, this user will not be able to withdraw or claim the rewards. I don't know if this is intentional or not, but an alternative solution would be to have an actions enum and mapping to the boolean field to make it more manageable.
STRATEGIST_ROLE has a lot of privileges that increase the risk of a rug-pull. A strategist can first invoke setVault, then invoke setStrategy or withdrawAll to transfer the tokens to the vault, or inCaseTokensGetStuck to drain any tokens from the strategies that were deposited by the users. In case one of the strategists' accounts is compromised, they can run away with all the tokens.