Platform: Code4rena
Start Date: 31/01/2023
Pot Size: $90,500 USDC
Total HM: 47
Participants: 169
Period: 7 days
Judge: LSDan
Total Solo HM: 9
Id: 211
League: ETH
Rank: 78/169
Findings: 2
Award: $90.41
π Selected for report: 0
π Solo Findings: 0
π Selected for report: 0xdeadbeef0x
Also found by: 0Kage, 0xNazgul, 0xRobocop, Aymen0909, KIntern_NA, Kenshin, KingNFT, Krace, Kumpa, SadBase, aashar, apvlki, btk, cccz, critical-or-high, eccentricexit, fs0c, gjaldon, hansfriese, immeas, mert_eren, mgf15, mrpathfindr, orion, peanuts, rvi0x, rvierdiiev, supernova, ulqiorra, waldenyan20, y1cunhui
2.3058 USDC - $2.31
claimRewards function is prone to ERC777 Reentrancy .
Checks -Effects-Interaction Pattern is not followed properly which leads to user being able to claim rewards token till the full contract is empty.
At line 186
accruedRewards[user][_rewardTokens[i]] = 0;
The mapping is updated at the end of the function execution, which leads to reentrancy in the below code
if (escrowInfo.escrowPercentage > 0) { _lockToken(user, _rewardTokens[i], rewardAmount, escrowInfo); emit RewardsClaimed(user, _rewardTokens[i], rewardAmount, true); } else { _rewardTokens[i].transfer(user, rewardAmount); emit RewardsClaimed(user, _rewardTokens[i], rewardAmount, false); }
Manual
function claimRewards(address user, IERC20[] memory _rewardTokens) external accrueRewards(msg.sender, user) { for (uint8 i; i < _rewardTokens.length; i++) { uint256 rewardAmount = accruedRewards[user][_rewardTokens[i]]; + accruedRewards[user][_rewardTokens[i]] = 0; if (rewardAmount == 0) revert ZeroRewards(_rewardTokens[i]); EscrowInfo memory escrowInfo = escrowInfos[_rewardTokens[i]]; if (escrowInfo.escrowPercentage > 0) { _lockToken(user, _rewardTokens[i], rewardAmount, escrowInfo); emit RewardsClaimed(user, _rewardTokens[i], rewardAmount, true); } else { _rewardTokens[i].transfer(user, rewardAmount); emit RewardsClaimed(user, _rewardTokens[i], rewardAmount, false); } - accruedRewards[user][_rewardTokens[i]] = 0; } }
#0 - c4-judge
2023-02-16T07:38:37Z
dmvt marked the issue as duplicate of #54
#1 - c4-sponsor
2023-02-18T12:10:50Z
RedVeil marked the issue as sponsor confirmed
#2 - c4-sponsor
2023-02-18T12:11:50Z
RedVeil marked the issue as disagree with severity
#3 - c4-judge
2023-02-23T00:52:29Z
dmvt marked the issue as partial-50
88.0962 USDC - $88.10
According to the Vault contract https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/Vault.sol#L523
Fees can never be 1e18 i.e 100%. For this the required checks are present that prevent the following action by the vault's owner .
Although owner cannot set Fee to 100% using the above function , but there is no restriction on the owner to set fee = 1e18(i.e 100%) in the initialize function .
I consider this as a medium severity as this breaks the invariant that Fees cannot be 100% in any case , which is false.
In Vault.sol initialize function add the following
+ if ( + fees_.deposit >= 1e18 || + fees_.withdrawal >= 1e18 || + fees_.management >= 1e18 || + fees_.performance >= 1e18 +. )
#0 - c4-sponsor
2023-02-17T07:48:16Z
RedVeil marked the issue as sponsor confirmed
#1 - c4-judge
2023-02-23T16:23:39Z
dmvt marked issue #396 as primary and marked this issue as a duplicate of 396
#2 - c4-judge
2023-02-23T22:28:00Z
dmvt marked the issue as satisfactory