This issue aggregates multiple problems with low and informational severity that were discovered during the audit.
Vulnerability Detail
Any excessive amount of tokens sent to BribeRewarder will get locked and it will be not possible to withdraw them. This is possible because no strict equalities are used in bribe and fundAndBribe functions.
RewarderFactory is missing overriding renounceOwnership as it is done for all the other contracts, which makes it possible to accidentally renounce ownership of the RewarderFactory.
The loop in the _bribe function of BribeRewarder iterates too many times for (uint256 i = 0; i <= bribeEpochs; ++i). The used check should be i < bribeEpochs.
transferFrom and safeTransferFrom are overridden with nonReentrant but they will not work in the first place because of overridden _update function to prevent any transfers.
safeTransferFrom function uses transferFrom under the hood but it has also nonReentrant modifier added which leads to double non reentrant check and revert with ReentrancyGuardReentrantCall
owner/operator/_lbHooksManager can add the same farm multiple times.
The BribeRewarder contract cannot be used with higher number of rewarding periods because of the for loop iterating over all periods and propagating data. This for high number of rewarding periods will lead to out-of-gas issues.
Blunt Carmine Camel
Low/Info
Multiple Low/Info Severity Issues
Summary
This issue aggregates multiple problems with low and informational severity that were discovered during the audit.
Vulnerability Detail
BribeRewarderwill get locked and it will be not possible to withdraw them. This is possible because no strict equalities are used inbribeandfundAndBribefunctions.RewarderFactoryis missing overridingrenounceOwnershipas it is done for all the other contracts, which makes it possible to accidentally renounce ownership of theRewarderFactory._bribefunction ofBribeRewarderiterates too many timesfor (uint256 i = 0; i <= bribeEpochs; ++i). The used check should bei < bribeEpochs.transferFromandsafeTransferFromare overridden withnonReentrantbut they will not work in the first place because of overridden_updatefunction to prevent any transfers.safeTransferFromfunction usestransferFromunder the hood but it has alsononReentrantmodifier added which leads to double non reentrant check and revert withReentrancyGuardReentrantCallowner/operator/_lbHooksManagercan add the same farm multiple times.BribeRewardercontract cannot be used with higher number of rewarding periods because of the for loop iterating over all periods and propagating data. This for high number of rewarding periods will lead to out-of-gas issues.Impact
N/A
Code Snippet
N/A
Tool used
Manual Review
Recommendation
It is recommended to address all listed issues.