1. Migration incorrect interface

Impact

Contract Migration implements function moveFundsToUpgradedContract that is expected to move funds from OLD_CONTRACT to NEW_CONTRACT. The issue is that for withdrawing funds it uses instantUnstake that does not exist in Staking contract. Contract Staking implements instantUnstakeReserve and instantUnstakeCurve, while instantUnstake is being implemented by LiquidityReserve.

Proof of Concept

Migration.sol:

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Migration.sol#L54

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to use ILiquidityReserve interface for OLD_CONTRACT and make sure that OLD_CONTRACT is a LiquidityReserve contract.

2. Missing threshold validation

Risk

Low

Impact

Contract Staking implements multiple functions for setting staking parameters. The issue is that these functions are missing basic threshold checks of received arguments which makes it risky that, either by accident or intentionally, the parameters will be set to values that will completely break Staking contract logic.

Proof of Concept

Staking.sol:

Missing check of affiliateFee for maximum value - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L167-L170
Missing check of duration for minimum and maximum value - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L217-L220
Missing check of _vestingPeriod for minimum and maximum warmUpPeriod value - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L226-L229
Missing check of _vestingPeriod for minimum and maximum coolDownPeriod value - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L235-L238
Missing check of _timestamp for minimum and maximum timemLeftToRequestWithdrawal value - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L246-L251

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add threshold checks for listed parameters.

3. Missing approve(0) first

Risk

Low

Impact

Some tokens (like USDT L199) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.

IERC20(token).approve(address(operator), 0);
IERC20(token).approve(address(operator), amount);

Proof of Concept

Staking.sol:

LiquidityReserver.sol:

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L81-L84

Migration.sol:

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Migration.sol#L32-L35

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

Approve with a zero amount first before setting the actual amount.

4. Missing events

Risk

Low

Impact

Multiple contracts are not implementing events for critical functions. Lack of events makes it difficult for off-chain applications to monitor the protocol.

Proof of Concept

Staking.sol:

Missing claimFromTokemak function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L111
Missing transferToke function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L141
Missing setTimeLeftToRequestWithdrawal function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L246
Missing unstakeAllFromTokemak function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L370
Missing sendWithdrawalRequests function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L384
Missing stake function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L406
Missing claim function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L465
Missing claimWithdraw function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L485
Missing instantUnstakeReserve function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L571
Missing instantUnstakeCurve function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L600
Missing unstake function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L674
Missing rebase function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L701
Missing addRewardsForStakers function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L741
Missing preSign function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L769

LiquidityReserve.sol:

Missing enableLiquidityReserve function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L57
Missing addLiquidity function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L104
Missing removeLiquidity function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L161
Missing instantUnstake function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L188
Missing unstakeAllRewardTokens function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L214

Migration.sol:

Missing moveFundsToUpgradeContract function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Migration.sol#L43

BatchRequests.sol:

Missing addAddress function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/BatchRequests.sol#L81-L83
Missing removeAddress function event - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/BatchRequests.sol#L89-L99

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add missing events to listed functions.

5. Missing zero address checks

Risk

Low

Impact

Multiple contracts do not check for zero addresses which might lead to loss of funds, failed transactions and can break the protocol functionality.

Proof of Concept

Staking.sol:

Missing check in stake for _recipient - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L406

LiquidityReserve.sol:

Missing check in instantUnstake for _recipient - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L188

BatchRequests.sol:

Missing check in addAddress for _address - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/BatchRequests.sol#L81
Missing check in removeAddress for _address - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/BatchRequests.sol#L89

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add zero address checks for listed parameters.

6. Critical address change

Risk

Low

Impact

Changing critical addresses such as ownership should be a two-step process where the first transaction (from the old/current address) registers the new address (i.e. grants ownership) and the second transaction (from the new address) replaces the old address with the new one. This gives an opportunity to recover from incorrect addresses mistakenly used in the first step. If not, contract functionality might become inaccessible.

Proof of Concept

Staking.sol:

Changing owner through OwnableUpgradeable - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L18

LiquidityReserve.sol:

Changing owner through OwnableUpgradeable - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/LiquidityReserve.sol#L16

BatchRequests.sol:

Changing owner through Ownable - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/BatchRequests.sol#L8

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to implement two-step process for changing ownership.

7. Use max values

Risk

Non-Critical

Impact

Contract YieldStorage.sol uses bit negation to retrieve MAX_UINT256 and MAX_SUPPLY (max uint128), these values can be easily retrieved from type object.

(..)
    uint256 internal constant MAX_UINT256 = ~uint256(0);

    uint256 internal constant MAX_SUPPLY = ~uint128(0); // (2^128) - 1
(..)

Proof of Concept

YieldyStorage.sol:

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/YieldyStorage.sol#L16-L18

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to use type(uint256).max and type(uint128).max respectively.

8. Use scientific notation

Risk

Non-Critical

Impact

    uint256 public constant BASIS_POINTS = 10000; // 100% in basis points

Proof of Concept

StakingStorage.sol:

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/StakingStorage.sol#L39

LiquidityReserveStorage.sol:

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to use scientific notation such as 1e4.

9. Missing/incomplete natspec comments

Risk

Non-Critical

Impact

Contracts are missing natspec comments which makes code more difficult to read and prone to errors.

Proof of Concept

Staking.sol:

Missing natspec - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L38
Missing @param _curvePool description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L155
Missing @param _affiliateFee description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L163-L167
Missing @param _affiliateAddress description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L175
Missing @param _shouldPause description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L183-L187
Missing @param _shouldPause description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L193-L197
Missing @param _shouldPause description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L203-L207
Missing @param duration description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L213-L217
Missing @param _vestingPeriod description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L223-L226
Missing @param _vestingPeriod description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L232-L235
Missing @param _amount and @param _recipient descriptions - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L402-L406
Missing @param stake description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L453-L456
Missing @param _recipient description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L461-L465
Missing @param _amount description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L511-L517

Yieldy.sol:

Missing @param _previsionCirculating, @param _profit and @param _epoch descriptions - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Yieldy.sol#L105-L110
Missing @param _wallet and @return descriptions - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Yieldy.sol#L133-L138
Missing @param _amount and @return descriptions - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Yieldy.sol#L143-L147
Missing @param _credits and @return descriptions - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Yieldy.sol#L156-L160
Missing @param _to, @param _value descriptions - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Yieldy.sol#L177-L182
Missing @param _from, @param _to, @param _value, @return descriptions - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Yieldy.sol#L198-L205
Missing @return - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Yieldy.sol#L224-L227

Migration.sol:

BatchRequests.sol:

Missing @return description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/BatchRequests.sol#L29-L33
Missing @param _index and @return description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/BatchRequests.sol#L46-L50
Missing @param _index and @return description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/BatchRequests.sol#L61-L65
Missing @return description - https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/BatchRequests.sol#L69-L73

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add missing natspec comments.

code-423n4 / 2022-06-yieldy-findings

QA Report #267

1. Migration incorrect interface

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

2. Missing threshold validation

Risk

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

3. Missing approve(0) first

Risk

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

4. Missing events

Risk

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

5. Missing zero address checks

Risk

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

6. Critical address change

Risk

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

7. Use max values

Risk

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

8. Use scientific notation

Risk

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

9. Missing/incomplete natspec comments

Risk

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps