Platform: Code4rena
Start Date: 27/10/2022
Pot Size: $33,500 USDC
Total HM: 8
Participants: 96
Period: 3 days
Judge: kirk-baird
Total Solo HM: 1
Id: 176
League: ETH
Rank: 52/96
Findings: 2
Award: $29.55
π Selected for report: 0
π Solo Findings: 0
π Selected for report: ladboy233
Also found by: 0x52, 0xDecorativePineapple, 0xhunter, Aymen0909, Bnke0x0, Dravee, JTJabba, Jeiwan, Lambda, Nyx, Picodes, Trust, cccz, cryptonue, csanuragjain, dic0de, hansfriese, horsefacts, imare, minhtrng, pashov, peritoflores, rbserver, rvierdiiev, wagmi, yixxas
9.9073 USDC - $9.91
https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L653-L661 https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L585-L592
Malicious owner can steal any created pledge even to drain the whole contract
Functions like recoverERC20 are good to recover tokens accidentally transferred to a contract.
The common approach for these function is to exclude real tokens handled by the protocol otherwise admin can just rug pull the contract.
In your case, as admin can add/remove reward tokens with the funcion removeRewardToken, he can call
this function first to bypass the require statement in recoverERC20
function stealToken(address tokenToSteal){ removeRewardToken(tokenToSteal); recoverERC20(tokenToSteal); }
One way to solve this is to keep a balance of every token and let owner to transfer the difference (if it exists), though this solution will cost some gas.
#0 - Kogaroshi
2022-10-31T00:44:17Z
Duplicate of #17
#1 - c4-judge
2022-11-10T06:55:46Z
kirk-baird marked the issue as not a duplicate
#2 - c4-judge
2022-11-10T06:55:53Z
kirk-baird marked the issue as duplicate
#3 - c4-judge
2022-11-10T21:17:42Z
kirk-baird marked the issue as satisfactory
#4 - c4-judge
2022-11-10T21:17:56Z
kirk-baird marked the issue as not a duplicate
#5 - c4-judge
2022-11-10T21:18:02Z
kirk-baird marked the issue as duplicate of #17
#6 - c4-judge
2022-12-06T17:32:42Z
Simon-Busch marked the issue as duplicate of #68
π Selected for report: robee
Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas
19.6449 USDC - $19.64
https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L335 https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L396
Users are unable neither to createPleadge nor extendPledge if protocol Fees are set to zero for some tokens
It is not stated in documentation if you allow protocol fees to zero. For your code it is possible to owner to set the fee to zero.
function updatePlatformFee(uint256 newFee) external onlyOwner { if(newFee > 500) revert Errors.InvalidValue(); uint256 oldfee = protocalFeeRatio; protocalFeeRatio = newFee; emit PlatformFeeUpdated(oldfee, newFee); }
However there are many non-malicious tokens that will revert if you try to transfer zero tokens. For these cases the function createPledge and extendPledge will revert when trying to transfer fees to chest
IERC20(rewardToken).safeTransferFrom(creator, chestAddress, vars.feeAmount); @audit will revert if fee is zero
An scenario is that some user create a pledge, then the owner decides to set fee to zero for some reason. That user will be unable to extend pledge and pledge will expiry.
If you do not plan to set fee to zero it is better to set a minimum fee.
#0 - trust1995
2022-10-30T21:30:12Z
Good suggestion. I don't think protocol fee is ever intended to be 0. Since the disrupted activity does not risk any funds, and can be restored quickly by the team, added to the low likelihood of fee being 0, it seems to be low severity issue.
#2 - kirk-baird
2022-11-11T06:40:21Z
I'm downgrading this to QA. This case should not rise and if it does there is a simple fix such that no funds are lost.
#3 - c4-judge
2022-11-11T06:40:32Z
kirk-baird changed the severity to QA (Quality Assurance)
#4 - c4-judge
2022-11-12T01:07:26Z
kirk-baird marked the issue as grade-b