Sturdy contest - z3s's results

The first protocol for interest-free borrowing and high yield lending.

General Information

Platform: Code4rena

Start Date: 13/05/2022

Pot Size: $30,000 USDC

Total HM: 8

Participants: 65

Period: 3 days

Judge: hickuphh3

Total Solo HM: 1

Id: 125

League: ETH

Sturdy

Findings Distribution

Researcher Performance

Rank: 49/65

Findings: 2

Award: $38.30

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Sturdy

Findings Information

🌟 Selected for report: pedroais

Also found by: 0x4non, 0x52, 0xf15ers, 0xliumin, CertoraInc, Dravee, GimelSec, IllIllI, MaratCerby, StErMi, TerrierLover, WatchPug, berndartmueller, cccz, dipp, fatherOfBlocks, hake, hickuphh3, hyh, isamjay, mtz, oyc_109, p4st13r4, peritoflores, rotcivegaf, saian, simon135, sorrynotsorry, sseefried, tabish, z3s

Awards

14.8433 USDC - $14.84

Labels

bug

duplicate

3 (High Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/LidoVault.sol#L142

Vulnerability details

Impact

LidoVault.sol#L141 In case of ETH withdraw request from user. after exchanging stETH -> ETH _withdrawFromYieldPool() send ETH to user but the require check is after the return of receivedETHAmount so this check won't happen. and in if call is going to fail it won't throw and the exchange won't revert. and user won't recieve the ETH.

Recommended Mitigation Steps:

swap the lines:

(bool sent, bytes memory data) = address(_to).call{value: receivedETHAmount}('');
- return receivedETHAmount;
require(sent, Errors.VT_COLLATERAL_WITHDRAW_INVALID);
+ return receivedETHAmount;

#0 - sforman2000
2022-05-18T03:10:08Z

Duplicate of https://github.com/code-423n4/2022-05-sturdy-findings/issues/157

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xNazgul, 0xf15ers, 0xkatana, 0xliumin, Cityscape, Dravee, Fitraldys, Funen, GimelSec, Hawkeye, JC, MaratCerby, SooYa, StErMi, Tomio, WatchPug, Waze, bobirichman, defsec, delfin454000, fatherOfBlocks, hake, hansfriese, hickuphh3, ignacio, joestakey, kebabsec, mics, mtz, oyc_109, robee, rotcivegaf, samruna, sikorico, simon135, z3s

Awards

23.4569 USDC - $23.46

Labels

bug

G (Gas Optimization)

External Links

Link to GitHub issue

Non Critical

Unused local variable in `LidoVault.sol`:

data is unused so it can be removed.

LidoVault.sol:91
    (bool sent, bytes memory data) = LIDO.call{value: msg.value}('');

LidoVault.sol:140
    (bool sent, bytes memory data) = address(_to).call{value: receivedETHAmount}('');

Recommended Mitigation Steps:

Remove data:

(bool sent, ) = LIDO.call{value: msg.value}('');

(bool sent, ) = address(_to).call{value: receivedETHAmount}('');

#0 - HickupHH3
2022-06-06T07:34:30Z

more of a gas opt IMO. changing it to a gas report

Sturdy contest - z3s's results

The first protocol for interest-free borrowing and high yield lending.

General Information

Findings Distribution

Researcher Performance

External Links

[H-02] Unreachable `require` check in `LidoVault.sol::_withdrawFromYieldPool()` - $14.84

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Recommended Mitigation Steps:

#0 - sforman20002022-05-18T03:10:08Z

[G-27] Gas Report - $23.46

Findings Information

Awards

Labels

External Links

Non Critical

Unused local variable in LidoVault.sol:

Recommended Mitigation Steps:

#0 - HickupHH32022-06-06T07:34:30Z

#0 - sforman2000
2022-05-18T03:10:08Z

Unused local variable in `LidoVault.sol`:

#0 - HickupHH3
2022-06-06T07:34:30Z