Back to pedroais's contests

Badger Citadel contest - pedroais's results

Bringing BTC to DeFi

General Information

Platform: Code4rena

Start Date: 14/04/2022

Pot Size: $75,000 USDC

Total HM: 8

Participants: 72

Period: 7 days

Judge: Jack the Pug

Total Solo HM: 2

Id: 110

League: ETH

BadgerDAO

Findings Distribution

Researcher Performance

Rank: 22/72

Findings: 2

Award: $615.39

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBadgerDAO

Findings Information

🌟 Selected for report: cccz

Also found by: 0xBug, 0xDjango, CertoraInc, TrungOre, VAD37, berndartmueller, georgypetrov, horsefacts, m9800, pedroais, rayn, reassor, scaraven, wuwe1

Labels

bug
duplicate
3 (High Risk)
sponsor acknowledged

Awards

431.1404 USDC - $431.14

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/StakedCitadel.sol#L830 https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/interfaces/citadel/IVesting.sol#L5 https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/StakedCitadelVester.sol#L132

Vulnerability details

Impact

Users can't withdraw their funds

Proof of Concept

When withdrawing in staking the contract will send funds to vesting using setupVesting(). This is defined in the vesting interface. On the other hand, the vesting implementation calls this function vest() so setupVesting() isn't implemented.

All withdraws will revert. This doesn't come up in tests since the staking wasn't tested (at least in provided tests).

Give the function the same name in interface and implementation

#0 - GalloDaSballo

2022-04-22T22:15:15Z

Don't know if severity should be that high, but seems valid @dapp-whisperer wdyt?

#1 - jack-the-pug

2022-05-30T06:46:15Z

Dup #9

Findings Information

🌟 Selected for report: Ruhum

Also found by: 0xBug, 0xDjango, IllIllI, MaratCerby, TrungOre, danb, hyh, m9800, minhquanym, pedroais, remora, shenwilly

Labels

bug
duplicate
2 (Med Risk)
sponsor confirmed

Awards

184.248 USDC - $184.25

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/Funding.sol#L215

Vulnerability details

Impact

Users are unable to buy citadel in funding if the discount is 0.

Proof of Concept

In the funding contract if the discount is 0 then getAmountOut will always return 0 and users won't be able to use funding to buy citadel.

If discount is 0 then the if is never true and citadelAmount_ is never set. Then citadelAmount_ = citadelAmount_ / assetDecimalsNormalizationValue will always be 0. Since there is a minAmountOut input the buy will revert so no tokens will be lost but buying won't be possible.

In talks with the sponsor, they confirmed this is unintended and the discount should be settable to 0 without stopping funding.

I consider this a medium issue since assets aren't at direct risk but the function of the protocol is impacted.

In addition, funds can be at risk if a user buys with minAmountOut = 0 they will lose all funds and receive no tokens in return.

Change to : function getAmountOut(uint256 assetAmountIn)///@audit-ok public view returns (uint256 citadelAmount) { uint256 citadelAmount_ = assetAmountIn * citadelPriceInAsset; if (funding.discount > 0) { citadelAmount = (citadelAmount_ * MAX_BPS) / (MAX_BPS - funding.discount); }

    citadelAmount_ = citadelAmount_ / assetDecimalsNormalizationValue;
}

#0 - GalloDaSballo

2022-04-22T22:18:47Z

#218

#1 - jack-the-pug

2022-05-29T06:59:27Z

Dup #149

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter