Platform: Code4rena
Start Date: 15/06/2022
End Date: 18/06/2022
Period: 3 days
Status: Completed
Pot Size: $30,000 USDC
Participants: 55
Reporter: itsmetechjay
Judge: Jack the Pug
Id: 138
League: ETH
unforgiven | 1/55 | $5,733.20 | 5 | 2 | 0 | 2 | 0 | - | 0 | 0 |
GimelSec | 2/55 | $3,884.05 | 4 | 1 | 0 | 2 | 0 | - | 0 | 0 |
zzzitron | 3/55 | $3,600.11 | 2 | 1 | 0 | 0 | 0 | - | 0 | 0 |
berndartmueller | 4/55 | $2,059.54 | 3 | 0 | 0 | 3 | 0 | 0 | 0 | 0 |
kirk-baird | 5/55 | $1,959.18 | 2 | 1 | 0 | 1 | 0 | 0 | 0 | 0 |
minhquanym | 6/55 | $1,881.47 | 3 | 0 | 0 | 2 | 0 | - | 0 | 0 |
rfa | 7/55 | $1,755.50 | 2 | 1 | 0 | 0 | 0 | 0 | - | 0 |
tabish | 8/55 | $1,723.59 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
PumpkingWok | 9/55 | $1,723.59 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
IllIllI | 10/55 | $689.83 | 3 | 0 | 0 | 1 | 0 | - | - | 0 |
Auditor per page
Building upon the work of the CodeArena Reviewed bveCVX (Badger Vested CVX), Badger is offering a locking vault for Aura.finance, with the goal of sourcing yield from locking incentives as well as processing voting bribes from HiddenHands.
The goal of this contest is to review the MyStrategy.sol we wrote for locking Aura as well as Claiming and processing Bribes.
https://github.com/Badger-Finance/vested-aura/tree/v0.0.2
The repository is a brownie project, just setup a .env with your WEB3_INFURA_PROJECT_ID and ETHERSCAN_TOKEN
# .env WEB3_INFURA_PROJECT_ID= ETHERSCAN_TOKEN=
Run the tests with
brownie test --interactive
--interactive allows you to debug if something breaks
Check for gas and coverage with
brownie test --gas --coverage
bveAura, is built with Badger Vaults 1.5, a Quantstamp Audited improvement over Yearn Vaults V1
The Vault is meant to manage Deposits and Withdrawals, while the Strategy is meant to lock AURA and use the lock to claim locking rewards as well as Bribes from Hidden Hands.
The Claimed Bribes are transfered to another smart contract, out of scope, called the BribesProcessor which is meant to be used by a multi-sig to sell the bribes into other tokens.
Because of the architecture of BadgerVaults, not only the Strategy contract could contain vulnerabilities, but vulnerabilities could emerge from the interaction between the Strategy, the BaseStrategy and the Vault.
Particular care should be put into understanding how Vault invariants could be broken due to the implementation of the MyStrategy
MyStrategy.sol - 440 LOC -> https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol
These contracts are out of scope:
Vault.sol -> https://github.com/Badger-Finance/badger-vaults-1.5/blob/0.1.0/contracts/Vault.solBaseStrategy.sol -> https://github.com/Badger-Finance/badger-vaults-1.5/blob/0.1.0/contracts/BaseStrategy.solThey have been previously audited by Code4rena and QuantStamp.
However, if a high or medium severity finding is discovered in this previously audited code, it would be eligible for consideration based wholly on judge discretion as outlined in the docs.
Do not submit gas optimizations or QA on these contracts.
Aura Locker, reviewed via CodeArena, report TBD. Code: https://etherscan.io/address/0x3Fa73f1E5d8A792C80F426fc8F84FBF7Ce9bBCAC#contracts
hiddenHandDistributor, to claim veBAL Bribes, reviewed via CodeArena here: https://code4rena.com/reports/2022-02-redacted-cartel
bribesProcessor, to process bribes, to be coded, example code: https://github.com/GalloDaSballo/fair-selling/blob/main/contracts/VotiumBribesProcessor.sol
BalancerVault, to sell certain tokens for more AURA, Code: https://etherscan.io/address/0xBA12222222228d8Ba445958a75a0704d566BF2C8, Audits: https://docs.balancer.fi/security/audits
Having reviewed hundreds of gas reports I ask wardens to kindly report Gas Findings along with an estimate of how much gas it would save.
Adding the gas estimate forces you into figuring that out properly, allows a easier review and helps you win more contests.
e.g. Cache Storage Variable - 97 gas
Wardens should try to:
bveCVX CodeArena Report
https://code4rena.com/reports/2021-09-bvecvx
Badger Vaults 1.5 Codebase
https://github.com/Badger-Finance/badger-vaults-1.5
b1.5 Code Overview: https://www.youtube.com/watch?v=u__v-J7KTNM
b1.5 Documentation: https://docs.badger.com/badger-finance/wip-vaults-1.5
Badger Vaults 1.5 QuantStamp Audit https://github.com/Badger-Finance/badger-vaults-1.5/blob/main/security/audits/Badger%20Vaults%201.5%20-%20Quantstamp%20-%20Jan%202022.pdf
Badger Office Hour Discussion about the Why behind 1.5: https://www.youtube.com/watch?v=psf4BS_kPIc&ab_channel=BadgerDAO
Badger 1.5 Mix (Brownie Boilerplate) https://github.com/Badger-Finance/badger-vaults-mix-v1.5