Platform: Code4rena
Start Date: 31/03/2022
Pot Size: $75,000 USDC
Total HM: 7
Participants: 42
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 5
Id: 102
League: ETH
Rank: 12/42
Findings: 1
Award: $332.90
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rayn
Also found by: 0xDjango, 0xkatana, 0xkowloon, BouSalman, CertoraInc, Dravee, Funen, Hawkeye, IllIllI, Jujic, Kenshin, Kthere, Meta0xNull, Sleepy, TerrierLover, async, aysha, berndartmueller, catchup, cccz, cmichel, csanuragjain, danb, defsec, georgypetrov, hake, hubble, kenta, kyliek, pauliax, rfa, robee, sahar, shenwilly, teryanarmen
332.9018 USDC - $332.90
There are a few instances where function address inputs are not checked for the zero address.
https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/vcon/Vcon.sol#L99-L104 https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/oracle/ScalingPriceOracle.sol#L88 https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/peg/NonCustodialPSM.sol#L297
The comments refer to FEI, but the contract pertains to VOLT.
All contracts contain a floating pragma. It is recommended to deploy contracts with a single, specific compiler version to reduce the risk of compiler version-related bugs.
If duration is set to less than 16 days, run the possibility that the _updateCPIData() function can be run multiple times in the same month. This would cause incorrect functionality within the _addNewMonth() function.
In the constructor, the individual bufferCap must be less than the global bufferCap. In the updateMaxBufferCap() function, the individual bufferCap can be less than or equal to global bufferCap.
The Pause/Unpause Redeem and Mint functions will emit an event despite the possibility that the function doesn't do anything. E.g. If you pauseMint() 5 times in a row, 5 events will be emitted but you actually only paused once. These functions should check that the current state is the opposite of the function action, e.g. if you want to pause, require !paused.
The _updateAddress() function can be used to update the rateLimit or the bufferCap, but the event emission only describes the rateLimit change. If only the bufferCap is changed, the event emission will simply describe no change to rateLimit.
Comment says the function adds an address, instead it updates an existing address.
Should use SafeMath in same way as performed in the _getMintAmountOut() function right above it.