Open code423n4 opened 2 years ago
Function recoverERC20 in StakingRewards allows an owner to transfer out any token except stakingToken. I see 2 problems with this: Dup of #69 (med)
A small loss in precision due to multiplication and division: Agree
Consider introducing a reasonable upper limit for the rewards[_pid] array in ConvexStakingWrapper, otherwise if it grows too large it may exceed the gas limit when performing the _checkpoint and there is no way to remove it once added. Valid but Low probability
ConvexStakingWrapper function addRewards fetches extraRewards and adds them to the list of rewards, but please note that extra rewards can change: Great find
You should use safe casts here: Great fix to the issue of overpaying Also, dup of #194 (Med)
I don't think this check in function provide of contract USDMPegRecovery is correct: in lack of POC cannot but downgrade to non-critical, ultimately it seems to just ensure the function is only called when there's a ton of liquid token and not much deposited
Consider introducing a withdrawal deadline to indicate when it is too late and the user has to requestWithdraw again. Non-critical
I think the comment and the actual code is misleading here: Non-critical
Pretty interesting report that suffers from mediocre formatting as well as lack of links making the findings a lot less actionable
3++
Bumped to 4- to be third best submission
@CloudEllie please create 2 new issue for the Med findings above.
I've created separate issues for the following:
Function recoverERC20
in StakingRewards allows an owner to transfer out any token except stakingToken
#278
I assigned this issue a severity of low because I assume we can trust the owner not to exploit this :?
You should forbid recoverERC20 of rewardsToken, and may also allow transferring the surplus from _totalSupply of stakingToken. Usually, it is a good practice in such contracts to have an emergency withdrawal function, where users can get back their stake tokens but forfeit the rewards.
Function setRewardsDistribution has a misleading revert message: "... changing the duration ..."
A small loss in precision due to multiplication and division:
A more accurate approach would be something like this:
Consider introducing a reasonable upper limit for the rewards[_pid] array in ConvexStakingWrapper, otherwise if it grows too large it may exceed the gas limit when performing the _checkpoint and there is no way to remove it once added.
ConvexStakingWrapper function addRewards fetches extraRewards and adds them to the list of rewards, but please note that extra rewards can change: https://github.com/convex-eth/platform/blob/main/contracts/contracts/BaseRewardPool.sol#L109-L119 Currently, ConvexStakingWrapper has no function to (sync) delete extra rewards. Consider implementing it.
You should use safe casts here:
Otherwise, if token amounts are exceeding these limits (e.g. rebasing tokens) the accounted and transferred amounts will differ. For instance, in function deposit it will add less to the user's balance but charge the full amount:
I don't think this check in function provide of contract USDMPegRecovery is correct:
After you provide the liquidity (usdm3crv.add_liquidity), the balance of usdm will decrease, but totalLiquidity.usdm, will not, so the next time it will need to increase even more to reach this condition again. But not sure what was the exact intention here, so submitting this as of low severity FYI.
Consider introducing a withdrawal deadline to indicate when it is too late and the user has to requestWithdraw again.
I think the comment and the actual code is misleading here: