Platform: Code4rena
Start Date: 30/11/2021
Pot Size: $100,000 USDC
Total HM: 15
Participants: 36
Period: 7 days
Judge: 0xean
Total Solo HM: 4
Id: 62
League: ETH
Rank: 23/36
Findings: 2
Award: $1,335.77
π Selected for report: 1
π Solo Findings: 0
π Selected for report: toastedsteaksandwich
Also found by: Meta0xNull, Omik, ScopeLift, bitbopper, gzeon, pedroais, wuwe1
481.7736 USDC - $481.77
wuwe1
(Sorry, my last summit for this function is wrong)
Governance can observe the mempool for any createIncentive at Streaming/src/Locke.sol:500 and call arbitraryCall function at Streaming/src/Locke.sol:733.
When a user call createIncentive with token the first time, the governance can frontrun and call arbitraryCall which in turn call approve in token contract. Governance can set the approve amount to max and transfer all the incentive token out from the Stream contract.
Consider adding a Timelock for the arbitraryCall function
#0 - brockelmore
2021-12-02T10:58:40Z
This should maybe bumped up to medium severity
#1 - brockelmore
2021-12-06T16:42:29Z
duplicate #107
#2 - 0xean
2022-01-14T22:01:35Z
dupe of #199
π Selected for report: wuwe1
805.8152 USDC - $805.82
wuwe1
// locke + depositTokenName + streamId = lockeUSD Coin-1 name = string(abi.encodePacked("locke", ERC20(depositToken).name(), ": ", toString(streamId)));
As the comment imply, the ": " should be "-"
Consider change the comment or the code.
#0 - 0xean
2022-01-16T14:13:57Z
1 β Low: Low: Assets are not at risk. State handling, function incorrect as to spec, issues with comments.
π Selected for report: gpersoon
Also found by: GiveMeTestEther, Meta0xNull, bitbopper, hack3r-0m, pauliax, pedroais, wuwe1
48.1774 USDC - $48.18
wuwe1
The first argument of function updateStream at Streaming/src/Locke.sol:197 is unused.
#0 - 0xean
2022-01-17T14:04:07Z
dupe of #125