Platform: Code4rena
Start Date: 14/04/2022
Pot Size: $75,000 USDC
Total HM: 8
Participants: 72
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 2
Id: 110
League: ETH
Rank: 26/72
Findings: 2
Award: $523.21
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: cccz
Also found by: 0xBug, 0xDjango, CertoraInc, TrungOre, VAD37, berndartmueller, georgypetrov, horsefacts, m9800, pedroais, rayn, reassor, scaraven, wuwe1
431.1404 USDC - $431.14
https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/StakedCitadel.sol#L830 https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/interfaces/citadel/IVesting.sol#L5 https://github.com/code-423n4/2022-04-badger-citadel/blob/18f8c392b6fc303fe95602eba6303725023e53da/src/StakedCitadelVester.sol#L132
In the withdraw() function in the stakedCitadel contract, the function makes a call to setupVesting() which does not exist in the StakedCitadelVester contract. Therefore, any transaction where a user tries to withdraw CTDL from the vault will fail and users will not be able to retreive their deposits.
Change all instances of setupVesting() to vest()
#0 - GalloDaSballo
2022-04-23T01:36:45Z
Yes
#1 - jack-the-pug
2022-05-29T07:08:22Z
Dup #9
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xkatana, AmitN, CertoraInc, Dravee, Funen, Hawkeye, Jujic, MaratCerby, Picodes, Ruhum, SolidityScan, TerrierLover, TomFrenchBlockchain, TrungOre, VAD37, Yiko, berndartmueller, cmichel, csanuragjain, danb, defsec, delfin454000, dipp, ellahi, fatherOfBlocks, georgypetrov, gs8nrv, gzeon, horsefacts, hubble, hyh, ilan, jah, joestakey, kebabsec, kenta, kyliek, m9800, minhquanym, oyc_109, p_crypt0, peritoflores, rayn, reassor, remora, rfa, robee, scaraven, securerodd, shenwilly, sorrynotsorry, tchkvsky, teryanarmen, z3s
92.0693 USDC - $92.07
It mentions in the documentation here that the StakedCitadel.sol contract is a fork with no strategy. Consider removing functions such as setStrategy(), earn() and other strategy related functions to increase readability.
setStrategy() and earn() in StakedCitadel.sol can cause hypothetical loss of user fundsIf governence sets a strategy and then executes earn(). 95% of the CTDL in the vault to be sent to the strategy contract. Any user who then tries to withdraw CTDL using xCTDL will only receive a fraction of their deposit as balance() has decreased. Consider removing these functions. See earn() and withdraw()
Additionally, the IVault interface for StakedCitadel contains reward() which was removed from StakedCitadel.sol in version 1.5. Consider removing reward() from the interface.