Platform: Code4rena
Start Date: 04/02/2022
Pot Size: $30,000 USDC
Total HM: 3
Participants: 37
Period: 3 days
Judge: leastwood
Id: 84
League: ETH
Rank: 7/37
Findings: 2
Award: $1,694.98
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: gellej
Also found by: Czar102, TomFrenchBlockchain, WatchPug, csanuragjain, defsec, hubble, p4st13r4, pedroais
https://github.com/code-423n4/2022-02-badger-citadel/blob/84596551d62f243d13fcb2d486346dde08002f7b/contracts/TokenSaleUpgradeable.sol#L340 https://github.com/code-423n4/2022-02-badger-citadel/blob/84596551d62f243d13fcb2d486346dde08002f7b/contracts/TokenSaleUpgradeable.sol#L257 https://github.com/code-423n4/2022-02-badger-citadel/blob/84596551d62f243d13fcb2d486346dde08002f7b/contracts/TokenSaleUpgradeable.sol#L192
If totalTokenOutBought > tokenOut.balanceOf(address(this)) the finalize() function will forever revert and no-one will be able to claim their bought tokens.
TokenInLimit can be set arbitrarily high even if the contract doesn't have enough tokens to sell.
Then users can buy more TokenOut than the contract balance. If the balance is smaller than TokenOutBought the finalize function will revert.
Calling the finalize function is a prerequisite to claim bought tokens. Then everyone would lose their bought tokens.
Setting tokenInLimit must have restrictions linked to the contract tokenOut balance to protect from overselling.
#0 - GalloDaSballo
2022-02-07T16:21:28Z
You can't finalize until all tokens have been sold, that's a fact.
The limit can't be set too high because we're going to mint the token after the sale, so w/e the tokens we sell, we can mint more tokens for it.
I think this is more in line with the denial of service (owner can postpone finalize forever) more than anything else
#1 - 0xleastwood
2022-03-14T11:09:55Z
Duplicate of #50
User can buy tokenOut at price X and be front-run by the owner by setting a higher price.
Changes in price by the owner should have some time lock to protect the buyer from frontrunning
#0 - GalloDaSballo
2022-02-10T01:41:15Z
I don't have a strong opinion on setting up a fixed price during the auction as it excludes other more interesting uses (decaying price, or price increasing over time, or fixed price at specific times), perhaps adding a slippage check on the buy function would avoid this
#1 - 0xleastwood
2022-03-14T12:09:06Z
Duplicate of #50 but warden already has an issue that is being considered under this.
#2 - 0xleastwood
2022-03-16T13:10:14Z
Duplicate of #105