Platform: Code4rena
Start Date: 21/04/2022
Pot Size: $100,000 USDC
Total HM: 18
Participants: 60
Period: 7 days
Judge: gzeon
Total Solo HM: 10
Id: 112
League: ETH
Rank: 5/60
Findings: 4
Award: $8,037.73
🌟 Selected for report: 3
🚀 Solo Findings: 1
1737.0523 USDC - $1,737.05
When ERC777 token is used as the underlying token for a LiquidityPool, a depositor can reenter depositFor and bypass the depositCap requirement check, resulting in higher total deposit than intended by governance.
tokensToSend ERC777 hook is called and Alice reenters depositFor.depositCap check.Add reentrancy guards to depositFor.
#0 - chase-manning
2022-05-11T14:50:16Z
🌟 Selected for report: fatherOfBlocks
Also found by: shenwilly
1737.0523 USDC - $1,737.05
When setting slippageTolerance, there is a check to ensure that the value is set within reasonable boundary. This check is missing in StrategySwapper constructor, which could cause irregularities when wrong value is used:
ScaledMath.ONE, swaps will always fail.Add the same check in setSlippageTolerance to constructor.
require(slippageTolerance_ <= ScaledMath.ONE, Error.INVALID_SLIPPAGE_TOLERANCE); require(slippageTolerance_ > 0.8e18, Error.INVALID_SLIPPAGE_TOLERANCE);
#0 - chase-manning
2022-05-05T10:55:13Z
Duplicate of #97
703.5062 USDC - $703.51
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/strategies/StrategySwapper.sol#L287-L289 https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/strategies/StrategySwapper.sol#L318-L320 https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/strategies/StrategySwapper.sol#L335-L337
In StrategySwapper, swapping from or to tokens with decimals higher than 18 will always revert. This will cause inabilities for strategies to harvest rewards.
L288 will revert when token_ has higher than 18 decimals.
return 10**(18 - IERC20Full(token_).decimals());
Consider modifying how _decimalMultiplier works so it could handle tokens with higher than 18 decimals.
Update the calculation of _minTokenAmountOut and _minWethAmountOut to account when decimals are higher/lower than 18.
#0 - chase-manning
2022-05-11T15:01:39Z
🌟 Selected for report: shenwilly
3860.1163 USDC - $3,860.12
Depositors won't be able to transfer or redeem funds temporarily.
The problem is caused by the implementation of LiquidityPool.getNewCurrentFees:
function getNewCurrentFees( uint256 timeToWait, uint256 lastActionTimestamp, uint256 feeRatio ) public view returns (uint256) { uint256 timeElapsed = _getTime() - lastActionTimestamp; uint256 minFeePercentage = getMinWithdrawalFee(); if (timeElapsed >= timeToWait) { return minFeePercentage; } uint256 elapsedShare = timeElapsed.scaledDiv(timeToWait); return feeRatio - (feeRatio - minFeePercentage).scaledMul(elapsedShare); }
The last line requires the current feeRatio to be higher than minFeePercentage or the function will revert. When this condition is broken, some critical functions such as transferring tokens and redeeming will be unusable. Affected users need to wait until enough time has elapsed and getNewCurrentFees returns minFeePercentage on L691.
This could happen if governance changes the MinWithdrawalFee to be higher than a user's feeRatio.
MinWithdrawalFee is set to 0, MaxWithdrawalFee is set to 0.03e18.feeRatio is now set to 0.03e18 (the current MaxWithdrawalFee).MaxWithdrawalFee to 0.05e18 and MinWithdrawalFee to 0.04e18.minFeePercentage is now higher than Alice's feeRatio and she can't transfer nor redeem the LP token until timeElapsed >= timeToWait.Add a new condition in getNewCurrentFees L690 to account for this case:
if (timeElapsed >= timeToWait || minFeePercentage > feeRatio) { return minFeePercentage; }
#0 - chase-manning
2022-05-11T15:01:18Z