Platform: Code4rena
Start Date: 04/03/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 80
Period: 7 days
Judge: hansfriese
Total Solo HM: 2
Id: 332
League: ETH
Rank: 25/80
Findings: 2
Award: $132.61
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: DarkTower
Also found by: 0xJaeger, 0xJoyBoy03, 0xRiO, 0xkeesmark, 0xlemon, 0xmystery, Abdessamed, AcT3R, Afriauditor, AgileJune, Al-Qa-qa, Aymen0909, Daniel526, DanielTan_MetaTrust, Dots, FastChecker, Fitro, GoSlang, Greed, Krace, McToady, SoosheeTheWise, Tripathi, asui, aua_oo7, btk, crypticdefense, d3e4, dd0x7e8, dvrkzy, gesha17, iberry, kR1s, leegh, marqymarq10, n1punp, pa6kuda, radin100, sammy, smbv-1923, trachev, turvy_fuzz, valentin_s2304, wangxx2026, y4y, yotov721, yvuchev, zhaojie
1.4652 USDC - $1.47
In claimYieldFeeShares the fee recipient can choose the amount of shares that they want to claim from the yieldFeeBalance. The issue is that currently, even if the fee recipient chooses a number less than the entire yieldFeeBalance, yieldFeeBalance is reset to 0, preventing the fee recipient from claiming any more of the fees they were initially granted.
For example, if the fee recipient chooses to claim only 50 of 100 from the yieldFeeBalance, yieldFeeBalance will be reset to 0, and the fee recipient will not be able to claim the remaining 50 yield fees.
As we can see yieldFeeBalance is decremented by _yieldFeeBalance instead of _shares.
yieldFeeBalance -= _yieldFeeBalance;
Manual review
Update from:
yieldFeeBalance -= _yieldFeeBalance;
To:
yieldFeeBalance -= _shares;
Other
#0 - c4-pre-sort
2024-03-11T23:07:50Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-03-11T23:07:56Z
raymondfam marked the issue as duplicate of #10
#2 - c4-pre-sort
2024-03-13T04:38:43Z
raymondfam marked the issue as duplicate of #59
#3 - c4-judge
2024-03-15T07:38:12Z
hansfriese marked the issue as satisfactory
🌟 Selected for report: Aymen0909
Also found by: 0xmystery, Abdessamed, FastChecker, Giorgio, Tripathi, btk, cheatc0d3, trachev, turvy_fuzz
131.1445 USDC - $131.14
The withdraw function of PrizeVault.sol allows a user to specify the amount of assets they want to withdraw. Furthermore, when the total assets are less than the total debt, one asset becomes more expensive than one share, causing more shares to need to be burned than the assets that are received. For example, if a user withdraws 100 assets they may have to burn 120 shares.
The issue is that there is no slippage protection on the amount of shares that the withdrawer is going to have to burn, which will likely cause an unexpected loss of funds. This problem will be further worsened during periods of high market volatility.
As we can see in the previewWithdraw function, used in withdraw when there are fewer assets than debt, the shares that will be burned are more than the withdrawn assets. Furthermore, there is no limit on the amount of shares that the caller may need to burn. The lack of slippage protection can also be observed in the redeem function, where the redeemer may receive fewer assets than expected for the amount of shares that they have burned.
function previewWithdraw(uint256 _assets) public view returns (uint256) { uint256 _totalAssets = totalAssets(); // No withdrawals can occur if the vault controls no assets. if (_totalAssets == 0) revert ZeroTotalAssets(); uint256 totalDebt_ = totalDebt(); if (_totalAssets >= totalDebt_) { return _assets; } else { // Follows the inverse conversion of `convertToAssets` return _assets.mulDiv(totalDebt_, _totalAssets, Math.Rounding.Up); } }
Manual review
Include slippage protection on the number of shares burned in withdraw and the number of assets received in redeem.
Other
#0 - c4-pre-sort
2024-03-11T23:49:04Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-03-11T23:49:11Z
raymondfam marked the issue as duplicate of #90
#2 - c4-pre-sort
2024-03-13T05:09:55Z
raymondfam marked the issue as duplicate of #274
#3 - c4-judge
2024-03-15T08:09:06Z
hansfriese marked the issue as satisfactory