Platform: Code4rena
Start Date: 27/05/2022
Pot Size: $75,000 USDC
Total HM: 20
Participants: 58
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 15
Id: 131
League: ETH
Rank: 12/58
Findings: 2
Award: $2,852.35
🌟 Selected for report: 1
🚀 Solo Findings: 1
🌟 Selected for report: shenwilly
2732.5332 USDC - $2,732.53
https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/InflationManager.sol#L609-L618 https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/KeeperGauge.sol#L82 https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/actions/topup/TopUpActionFeeHandler.sol#L95-L98 https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/actions/topup/TopUpAction.sol#L807 https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/actions/topup/TopUpAction.sol#L653
When _removeKeeperGauge is called, there is no guarantee that the keeper gauge isn't currently in use by any TopUpActionFeeHandler. If it's still in use, any top up action executions will be disabled as reporting fees in KeeperGauge.sol will revert:
function reportFees( address beneficiary, uint256 amount, address lpTokenAddress ) external override returns (bool) { ... require(!killed, Error.CONTRACT_PAUSED); // gauge is killed by InflationManager ... return true; }
If this happened during extreme market movements, some positions that require a top up will not be executed and be in risk of being liquidated.
InflationManager.removeKeeperGauge, replacing an old keeper gauge. However, governance forgot to call TopUpActionFeeHandler.prepareKeeperGauge so TopUpActionFeeHandler.getKeeperGauge still points to the killed gauge.> Keeper calls TopUpAction.execute(); > _payFees(); > IActionFeeHandler(feeHandler).payFees(); > IKeeperGauge(keeperGauge).reportFees(); > reverts as gauge is already killed
prepareKeeperGauge with a 3 days delay.Consider adding an on-chain check to ensure that the keeper gauge is not in use before removing them.
#0 - GalloDaSballo
2022-06-22T14:32:19Z
I believe the warden has shown a situation in which calling _removeKeeperGauge can cause payFees to revert, making it impossible (for a time) for fees to be paid.
I do not believe the impact will extend beyond:
I disagree with the statement: Alice's position got liquidated before the change is executed. as no liquidation should be contingent on fees being paid from this function.
Because the finding shows how the system for fees can be stopped due to external conditions, I agree with Medium Seveirty
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xNazgul, 0xf15ers, BowTiedWardens, Chom, Funen, Kaiziron, Kumpa, MiloTruck, Picodes, Ruhum, SecureZeroX, Sm4rty, SmartSek, StyxRave, WatchPug, Waze, asutorufos, bardamu, berndartmueller, c3phas, catchup, cccz, codexploder, cryptphi, defsec, delfin454000, dipp, fatherOfBlocks, gzeon, hake, hansfriese, hyh, masterchief, oyc_109, sach1r0, sashik_eth, shenwilly, simon135, unforgiven
119.8232 USDC - $119.82
If governance mistakenly whitelisted a faulty/malicious gauge, there is no way to remove it. A malicious gauge could mint as much $BKD as it's currently available according to the inflation schedule, in detriment of other gauges' allocation.
Unless there's a reason not to, consider adding a function to remove gauge from whitelist in InflationManager.sol:
function blacklistGauge(address gauge) external override onlyRoles(Roles.GOVERNANCE) { gauges[gauge] = false; }
#0 - GalloDaSballo
2022-06-22T21:47:28Z
Agree with the finding, given other findings in the contest it would be ideal to be able to remove gauges