Platform: Code4rena
Start Date: 17/03/2022
Pot Size: $30,000 USDC
Total HM: 8
Participants: 43
Period: 3 days
Judge: gzeon
Total Solo HM: 5
Id: 100
League: ETH
Rank: 37/43
Findings: 1
Award: $50.85
π Selected for report: 0
π Solo Findings: 0
π Selected for report: defsec
Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xkatana, 0xwags, CertoraInc, Funen, GeekyLumberjack, GreyArt, IllIllI, Kenshin, Ruhum, TerrierLover, WatchPug, berndartmueller, bugwriter001, cccz, cmichel, csanuragjain, hake, kenta, kirk-baird, leastwood, minhquanym, oyc_109, peritoflores, rayn, remora, rfa, robee, saian, samruna, sorrynotsorry, wuwe1
50.8486 USDC - $50.85
https://github.com/code-423n4/2022-03-prepo/blob/main/contracts/core/Collateral.sol#L61
https://github.com/code-423n4/2022-03-prepo/blob/main/contracts/core/Collateral.sol#L61
uint256 _amountToDeposit = _baseToken.balanceOf(address(this));
Amount to deposit is balance of the contract.
Consider use calldata amount instead of _baseToken.balanceOf(address(this))
function deposit(uint256 _amount) external override nonReentrant returns (uint256) { require(_depositsAllowed, "Deposits not allowed"); _baseToken.safeTransferFrom(msg.sender, address(this), _amount); // Record deposit before fee is taken if (address(_depositHook) != address(0)) { _depositHook.hook(msg.sender, _amount, _amount); } /** * Add 1 to avoid rounding to zero, only process deposit if user is * depositing an amount large enough to pay a fee. */ uint256 _fee = (_amount * _mintingFee) / FEE_DENOMINATOR + 1; require(_amount > _fee, "Deposit amount too small"); _baseToken.safeTransfer(_treasury, _fee); _amount -= _fee; uint256 _valueBefore = _strategyController.totalValue(); _baseToken.approve(address(_strategyController), _amount); _strategyController.deposit(_amount); uint256 _valueAfter = _strategyController.totalValue(); _amount = _valueAfter - _valueBefore; uint256 _shares = 0; if (totalSupply() == 0) { _shares = _amount; } else { /** * # of shares owed = amount deposited / cost per share, cost per * share = total supply / total value. */ _shares = (_amount * totalSupply()) / (_valueBefore); } _mint(msg.sender, _shares); return _shares; }
#0 - ramenforbreakfast
2022-03-22T23:44:45Z
This is a documentation issue. We intended our vault to follow this convention to allow contracts to atomically batch a transfer of assets to the contract and call deposit, instead of approving and having their assets transferFrom'd.
#1 - gzeoneth
2022-04-03T14:02:55Z
Not an issue if fund is donated to the contract, downgrading to Low/QA. Treating this as user's QA Report.
#2 - JeeberC4
2022-04-12T18:29:03Z
Per judge downgrading to QA Report, preserving original title: _baseToken sent directly to Collateral contract can be took by anyone