Back to simon135's contests

Popcorn contest - simon135's results

A multi-chain regenerative yield-optimizing protocol.

General Information

Platform: Code4rena

Start Date: 31/01/2023

Pot Size: $90,500 USDC

Total HM: 47

Participants: 169

Period: 7 days

Judge: LSDan

Total Solo HM: 9

Id: 211

League: ETH

Popcorn

Findings Distribution

Researcher Performance

Rank: 147/169

Findings: 1

Award: $35.48

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPopcorn

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x3b, 0xAgro, 0xBeirao, 0xMirce, 0xNineDec, 0xRobocop, 0xSmartContract, 0xTraub, 0xWeiss, 2997ms, 41i3xn, Awesome, Aymen0909, Bauer, Bnke0x0, Breeje, Cryptor, DadeKuma, Deathstore, Deekshith99, DevABDee, DevTimSch, Dewaxindo, Diana, Ermaniwe, Guild_3, H0, IceBear, Inspectah, JDeryl, Kaiziron, Kaysoft, Kenshin, Mukund, Praise, RaymondFam, Rickard, Rolezn, Ruhum, Sathish9098, SkyWalkerMan, SleepingBugs, UdarTeam, Udsen, Walter, aashar, adeolu, apvlki, arialblack14, ast3ros, btk, chaduke, chandkommanaboyina, chrisdior4, climber2002, codetilda, cryptonue, cryptostellar5, csanuragjain, ddimitrov22, descharre, dharma09, doublesharp, eccentricexit, ethernomad, fs0c, georgits, halden, hansfriese, hashminer0725, immeas, lukris02, luxartvinsec, matrix_0wl, merlin, mookimgo, mrpathfindr, nadin, olegthegoat, pavankv, rbserver, rebase, savi0ur, sayan, scokaf, seeu, shark, simon135, tnevler, tsvetanovv, ulqiorra, ustas, waldenyan20, y1cunhui, yongskiws, yosuke

Awards

35.4779 USDC - $35.48

Labels

bug
grade-b
QA (Quality Assurance)
edited-by-warden
Q-73

External Links

Link to GitHub issue
SECONDS_PER_YEAR is wrong a year is 365 days

The constant in the code is 365.25 days which is a year and a little bit more but a year is just 365 days https://github.com/code-423n4/2023-01-popcorn/blob/7a513a9734b9e49af33041e2032ffc131f3b73b0/src/vault/Vault.sol#L35

when the creator sets fees there is no check that fees are less than 1e18

When a creator wants to change fees they have to set them to less than 1e18.

        if (
            newFees.deposit >= 1e18 ||
            newFees.withdrawal >= 1e18 ||
            newFees.management >= 1e18 ||
            newFees.performance >= 1e18
        ) revert InvalidVaultFees();

but on the initialize function, there is such a check

        fees = fees_;

Make checks for the initialize function

targets parameters do not represent `AdminProxy

the targets instead are users that get permission

* @param targets `AdminProxy`

https://github.com/code-423n4/2023-01-popcorn/blob/7a513a9734b9e49af33041e2032ffc131f3b73b0/src/vault/VaultController.sol#L404

have so check for address(0) and address(1) in setPermissions function

In the setPermissions function 0x represents tokens and 0x1 represents users Make an if check that checks that input and set it accordingly Just to help readability

There is a discrepancy between AdapaterBase->setHarvestCooldown and VaultController->setHarvestCooldown functions

in AdapterBase the function checks

if (newCooldown >= 1 days) revert InvalidHarvestCooldown(newCooldown);

in VaultController the function checks

    if (newCooldown > 1 days) revert InvalidHarvestCooldown(newCooldown);

vaultController->HarvestCooldown is set on the adapter contract which can = 1 day but in the adapterBase the cooldown can't be =1 day The worst thing that can happen undesired cooldown

There is no check on the vault metadata, so a user can get phished

On the UX if there is no check on the vault.metadata and an attacker creates a different vault but the same metadata, a user can be phished On the Ux have verified vaults

#0 - c4-judge

2023-02-28T23:32:57Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter