DeFiHardhatFoundry
250,000 USDC
View results
Submission Details
Severity: low
Invalid

Users will be able to steal funds if token is temporarily unwhitelisted

Summary

Users will be able to steal funds if token is temporarily unwhitelisted

Vulnerability Details

In case a token has been temporarily unwhitelisted (for whatever reason), a user calling mow during sop season, will not get their perWellPlenty set (as it only fetches the currently whitelisted tokens)

if (s.sys.season.lastSop == s.sys.season.rainStart) {
address[] memory tokens = LibWhitelistedTokens.getWhitelistedWellLpTokens();
for (uint i; i < tokens.length; i++) {
s.accts[account].sop.perWellPlenty[tokens[i]].plentyPerRoot = s.sys.sop.sops[
s.sys.season.lastSop
][tokens[i]];
}
}

By not setting user's own PerRootPlenty, if by the next time they mow its whitelisted again, this would allow them to claim plenty for the whole PRP (rather than just the delta since beginning of the sop)

Impact

Loss of funds

Tools Used

Manual review

Recommendations

Either use an array of all ever whitelisted tokens, or do not only temporarily unwhitelist a token (once it's whitelisted, disallow it from being rewhitelisted again)

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Gas

Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Appeal created

deadrosesxyz Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Gas

Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.