Back to rfa's contests

Badger-Vested-Aura contest - rfa's results

Bringing BTC to DeFi

General Information

Platform: Code4rena

Start Date: 15/06/2022

Pot Size: $30,000 USDC

Total HM: 5

Participants: 55

Period: 3 days

Judge: Jack the Pug

Id: 138

League: ETH

BadgerDAO

Findings Distribution

Researcher Performance

Rank: 7/55

Findings: 2

Award: $1,755.50

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBadgerDAO

Findings Information

🌟 Selected for report: PumpkingWok

Also found by: kirk-baird, rfa, tabish, unforgiven

Labels

bug
duplicate
3 (High Risk)
valid

Awards

1723.5939 USDC - $1,723.59

External Links

Link to GitHub issue

Lines of code

https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L223

Vulnerability details

Impact

In the LOCKER contract https://etherscan.io/address/0x3Fa73f1E5d8A792C80F426fc8F84FBF7Ce9bBCAC#code anyone can call getreward() for any account, therefore an attacker can frontrun an authorized actor, by calling getreward(address(myStrategy)), before the harvest() call by an authorized actor get executed, this will lead to https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L228 aurabalEarned value to 0, since the before and after balance is the same, and this AURABAL token cannot get sweeped due to the _onlyNotProtectedTokens() preventing this token to get sweep, making the AURABAL token stuck and not claimable

Proof of Concept

https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L223

#0 - GalloDaSballo

2022-06-19T18:02:58Z

Dup of #129

Findings Information

🌟 Selected for report: 0xKitsune

Also found by: 0x1f8b, 0xFar5eer, 0xNazgul, 0xkatana, Chom, Funen, IllIllI, JC, Meera, MiloTruck, Picodes, TerrierLover, TomJ, Waze, _Adam, c3phas, codexploder, defsec, fatherOfBlocks, gzeon, joestakey, oyc_109, reassor, rfa, robee, sach1r0, simon135

Awards

31.9127 USDC - $31.91

Labels

bug
G (Gas Optimization)
sponsor acknowledged
valid

External Links

Link to GitHub issue

gas

Title: Declaring var in the returns()

https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L161-L166

Remove L162 and declare protectedTokens inside the returns can save gas Change to:

    function getProtectedTokens() public view virtual override returns (address[2] memory protectedTokens) { // @audit-info: declare here
        protectedTokens[0] = want; // AURA
        protectedTokens[1] = address(AURABAL);
    }

It can save 178 gas per call

Title: Using && inside require()

https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L184-L187

Instead of using && to validate, using multiple require can save 15 execution gas fee per call (although it will cost more in deployment gas fee). Change to:

        require(
            balanceOfPool() == 0,
            "You have to wait for unlock or have to manually rebalance out of it"
        );
        require(
            LOCKER.balanceOf(address(this)) == 0,
            "You have to wait for unlock or have to manually rebalance out of it"
        );

Title: using < 32 bytes string to revert

https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L186

Strings are broken into 32 byte chunks for operations. Revert error strings over 32 bytes therefore consume extra gas than shorter strings

Title:

#0 - GalloDaSballo

2022-06-19T00:23:07Z

Title: Declaring var in the returns()

Would like to see proof

Rest is the usual

#1 - GalloDaSballo

2022-06-20T16:54:46Z

<img width="1062" alt="Screenshot 2022-06-20 at 18 54 29" src="https://user-images.githubusercontent.com/13383782/174648684-ea1083cc-7c43-4c41-9f2f-736882ec6330.png"> Advice given doesn't compile
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter