Platform: Code4rena
Start Date: 06/01/2022
Pot Size: $60,000 USDC
Total HM: 20
Participants: 33
Period: 7 days
Judge: LSDan
Total Solo HM: 9
Id: 67
League: ETH
Rank: 16/33
Findings: 2
Award: $920.23
π Selected for report: 1
π Solo Findings: 0
797.1712 USDC - $797.17
0x1f8b
Allow flash loan attacks.
The variable minLockPeriod is assignated inside the constructor, and there is no check around this argument, this variable it's very important because it will deny the flash loan attacks, so it's very important to be different than 0.
Manual review.
Check that _minLockPeriod it's different than 0 inside the constructor.
#0 - r2moon
2022-01-12T14:07:49Z
we don't think it's an issue.
#1 - dmvt
2022-01-27T21:40:11Z
This does potentially open assets up to flash loan risk. It is probably a good idea to have this variable guarded, at least in the case of the pattern described in #150. I'm going to consider this a duplicate of that issue since the description is much more thorough.
duplicate #150
107.6181 USDC - $107.62
0x1f8b
Detailed description of the impact of this finding.
The deposit method inside Vault contract doesn't check that the amount it's 0.
Manual review.
Check that the amount it's different than 0.
#0 - gabrielpoca
2022-01-12T11:04:48Z
@ryuheimat is this really a low risk? we can add a check, but there are no exploits in here
#1 - r2moon
2022-01-13T12:03:32Z
@gabrielpoca agree, this is a non critical issue i think.
#2 - gabrielpoca
2022-01-13T12:05:49Z
I really think this is a non-issue.
#3 - r2moon
2022-01-13T12:11:39Z
this will mint NFT with zero amount, so we need to add check
#4 - dmvt
2022-01-28T14:19:24Z
This tracks as a state handling issue. Low risk is appropriate.
#5 - naps62
2022-02-15T17:53:11Z
0x1f8b
Unfinished logic.
There are some open TODO in the code that must be finished or removed:
Manual review.
Finish the code and remove the todo
#0 - r2moon
2022-01-11T16:06:07Z
#1 - dmvt
2022-01-28T14:42:16Z
duplicate of #96