- Start date28 Jan 2025
- End date4 Feb 2025
- Total awards$5,000 in USDC
- Duration7 days
- Details
BakerFi Mitigation Review
- Total Prize Pool: $5,000 in USDC
- HM awards: $4,000 in USDC
- Judge awards: $1,000 in USDC
- Warden guidelines for C4 mitigation reviews
- Starts January 28, 2025 20:00 UTC
- Ends February 04, 2025 20:00 UTC
Important note
Each warden must submit a mitigation review for every individual PR listed in the Scope
section below. Incomplete mitigation reviews will not be eligible for awards.
Findings being mitigated
Mitigations of all High and Medium issues will be considered in-scope and are listed here:
- F-1: Users may encounter losses on assets deposited through
StrategySupplyERC4626
- F-2: Anyone can call StrategySupplyBase.harvest, allowing users to avoid paying performance fees on interest
- F-6: _deployedAmount not updated on StrategySupplyBase.undeploy, preventing performance fees from being collected
- F-13: There are multiple issues with the decimal conversions between the vault and the strategy
- F-17: Transactions that use .permit can be front-run to grief the user and steal his funds
- F-18: Malicious actors can exploit user-approved allowances on
VaultRouter
to drain their ERC20 tokens - F-19: Malicious actors can exploit user-approved allowances on
VaultRouter
to drain their ERC4626 tokens - F-3: VaultBase is not ERC4626 compliant
- F-4: New strategy can not work due to insufficient allowance
- F-5:
MultiStrategy#removeStrategy()
cannot remove leverage strategies that still have deployed assets - F-12: Even when the Vault contract is paused, the rebalance function is not paused
- F-16:
_maxDeposit
check is incorrect - F-26: The
dispatch
function of theVaultRouter
, does not work as intended, with PULL_TOKEN action - F-27: Incorrect whitelist validation in VaultBase.sol
- F-33: The withdrawal of Multi strategies vault could be DoSed while asset deposits remain unaffected
- F-34: The calculation of
assetsMax
is incorrect - F-36: The Vault Manager is unable to delete the last strategy from
MultiStrategyVault
- F-37: The
StrategySupplyMorpho
allow to use wrong token in_asset
- F-43: StrategySupplyBase.undeploy does not return the amount of assets actually undeployed, which can cause a withdrawal to fail
- F-40: VaultRouter cannot be used for deposits when it reaches the maximum deposit limit
Scope
Branch
https://github.com/baker-fi/bakerfi-contracts/tree/develop
Mitigation of High & Medium Severity Issues
Out of Scope
All sponsor acknowledged
(wontfix) findings, including:
- F-8: Sending tokens to a Strategy when totalSupply is 0 can permanently make the Vault unavailable
- F-10: Permit doesn't work with DAI
- F-35: Cannot withdraw tokens from all strategies in MultiStrategyVault when one third party is paused
All known issues listed in the preceding audit's repo are considered known issues and out of scope.