Platform: Code4rena
Start Date: 09/09/2021
Pot Size: $100,000 SUSHI
Total HM: 4
Participants: 11
Period: 7 days
Judge: ghoulsol
Total Solo HM: 3
Id: 28
League: ETH
Rank: 4/11
Findings: 2
Award: $4,639.55
🌟 Selected for report: 1
🚀 Solo Findings: 0
tensors
A comment in the code asks whether it is safe to allow anyone to call PostAuctionLauncher, finalize(). In the case that an attacker can get even a few wei of the auction token, it is not safe.
Suppose an attacker somehow gets a small amount of the auction token before the token (many projects do small token giveaways to contributors, community members, nft artists, code423n4 auditors, etc.) before the official launch.
The attacker can then create a massively skewed pool for the token. Since you are using the low level .mint() call in the code, "slippage" on your mint could be very high. The attacker calls your .finalize method (giving you close to 0 LP tokens because of the skewed pool) and then .burns() his liquidity taking almost the entire pool on his burn.
Don't let anyone but the owner call the function.
#0 - Clearwood
2021-09-16T04:36:08Z
duplicate of #14
40.3858 SUSHI - $405.07
tensors
##Impact Using .send or .transfer to send ETH is widely considered bad practice as it is dependent on gas costs of certain opcodes, which are subject to change. Future developements may break the functionality of the protocol.
See https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/ for more info and safe ways to send ETH.
#0 - Clearwood
2021-09-21T19:02:17Z
Duplicate of #96
🌟 Selected for report: tensors
149.5769 SUSHI - $1,500.26
tensors
##Impact The view functions in CalculationsSushiswap.sol can be manipulated to give incorrect answers by flashloan attacks. Using them within the code in a naive way can lead to lost funds.
##Example L188 here: https://github.com/sushiswap/miso/blob/master/contracts/Helper/CalculationsSushiswap.sol
##Recommendations Make sure the functions are only used as estimates (for example, on the UI). Furthermore, add a comment so that new developers working on the code base realize the same thing.
#0 - Clearwood
2021-09-16T00:53:39Z
These functions were always intended for UI purposes, I agree that a comment would make sense
#1 - ghoul-sol
2021-10-05T19:54:32Z
per sponsor comment, low risk