Platform: Code4rena
Start Date: 21/04/2022
Pot Size: $100,000 USDC
Total HM: 18
Participants: 60
Period: 7 days
Judge: gzeon
Total Solo HM: 10
Id: 112
League: ETH
Rank: 39/60
Findings: 2
Award: $244.27
š Selected for report: 0
š Solo Findings: 0
š Selected for report: IllIllI
Also found by: 0v3rf10w, 0x52, 0xDjango, 0xkatana, Dravee, Funen, Kenshin, Ruhum, StyxRave, Tadashi, TerrierLover, TrungOre, antonttc, berndartmueller, catchup, csanuragjain, defsec, dipp, fatherOfBlocks, hake, horsefacts, hubble, jayjonah8, joestakey, kebabsec, kenta, m4rio_eth, oyc_109, pauliax, peritoflores, rayn, remora, robee, securerodd, simon135, sorrynotsorry, sseefried, z3s
159.3125 USDC - $159.31
no check for 0 address https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/vault/Vault.sol prepareTargetAllocation executeReserveFee executeBound withdrawFromStrategyWaitingForRemoval _rebalance changeConvexPool func https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/strategies/BkdTriHopCvx.sol https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/pool/LiquidityPool.sol handleLpTokenTransfer https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/actions/topup/TopUpAction.sol lockfunds func calcExchangeAmount func,register,resetPosition getEthRequiredForGas getPosition _payFees https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/actions/topup/TopUpAction.sol lockFunds changeConvexPool :return not explained in notspec addUsableToken getTopUpHandler _approve https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/pool/LiquidityPool.sol handleLpTokenTransfer ā------------------- withdrawAll https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/pool/LiquidityPool.sol https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/StakerVault.sol addStrategy Transfer increaseActionLockedBalance transferFrom unstakeFor
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/AddressProvider.sol Initialize addFeeHandler removeFeeHandler addAction addPool https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/actions/topup/handlers/CompoundHandler.sol topUp
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/GasBank.sol depositFor
checks and effects pattern protect against reentry attack amountleft-='depostiamount should be done before just in case. excutelocalvars struct totalTopUpAmount waste of space make a bigger to uint256 muplite mappings to get value https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/actions/topup/TopUpAction.sol ā------------- _rebalance https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/vault/Vault.sol bad comment should be put in better place address vault = addressProvider.getStakerVault(position.depositToken); // will revert if vault does not exist no onlygovernace modifer not implumented functions : you can change the fee update and change update fee or slippage which a basic user shouldnt be able to https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/vault/Vault.sol executeDebtLimit prepareTargetAllocation withdrawFromStrategyWaitingForRemoval https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/actions/topup/TopUpAction.sol executeActionFee
executeSwapperSlippage executeEstimatedGasUsage https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/pool/LiquidityPool.sol prepareNewWithdrawalFeeDecreasePeriod executeNewWithdrawalFeeDecreasePeriod executeNewVault ā------------ Code not needed https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/vault/Vault.sol _computeNewAllocated
Not needed return 0 and pure why No comments and natspec on https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/actions/topup/TopUpActionFeeHandler.sol function Line:160 to 170 ā--------- Comments issue https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/actions/topup/handlers/CompoundHandler.sol _getAccountBorrowsAndSupply function Not explaining well and no natspec comments.
š Selected for report: joestakey
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xkatana, 0xmint, Dravee, Funen, IllIllI, MaratCerby, NoamYakov, Tadashi, TerrierLover, Tomio, WatchPug, catchup, defsec, fatherOfBlocks, hake, horsefacts, kenta, oyc_109, pauliax, rayn, rfa, robee, saian, securerodd, simon135, slywaters, sorrynotsorry, tin537, z3s
84.957 USDC - $84.96
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/StakerVault.sol
Lp_gaude does not have big Bytes32 Approve function not needed just made msg.sender
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/pool/PoolFactory.sol Make it decimals uint256 doesn't matter. LpTokenArgs _addImplementation Function del from storage impletation
https://github.com/code-423n4/2022-04-backd/blob/main/backd/contracts/access/RoleManager.sol mapping(address => bool) members; Waste of gas bool just use uint