Mimo August 2022 contest - 0xNazgul's results

Lines of code

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/automated/MIMOAutoAction.sol#L32 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/automated/MIMOAutoRebalance.sol#L54

Vulnerability details

Impact

A vaultOwner who is "not confident enough in ourselves to stay up-to-date with market conditions to know when we should move to less volatile collateral to avoid liquidations." They can open their vault to other users who pay attention to the markets and would call rebalance to recieve the insentivized fees. The vaultOwner who doesn't want to pay the baiting high fees instead front-runs the autoRebalance() with setAutomation() to lower incentives.

Proof of Concept

1. A Mallory a vaultOwner isn't confident in staying up-to-date with market conditions. She has her vault setup to be automated and has high fee incentives.
2. Alice a user who is confident in staying up-to-date with market conditions see's a profitable opportunity and calls rebalance().
3. Mallory is confident in her programing and watching mempools for when rebalance() is called. See's that Alice just called rebalance() and calls setAutomation() to lower the incentives.
4. Alice's call to rebalance() then goes through getting lower incentives and Mallory then calls setAutomation() to set the incentives back to normal.

Tools Used

Manual Review

Recommended Mitigation Steps

Add a time-lock to setAutomation so that the vaultOwner can't front-run users.

[NAZ-L1] receive() Function Should Emit An Event

Severity: Low Context: MIMOProxy.sol#L38

Description: Consider emitting an event inside this function with msg.sender and msg.value as the parameters. This would make it easier to track incoming ether transfers.

Recommendation: Add events to the receive() functions.

[NAZ-N1] Function && Variable Naming Convention

Severity Informational Context: IMIMOProxyFactory.sol#L21

Description: The linked variables do not conform to the standard naming convention of Solidity whereby functions and variable names(local and state) utilize the mixedCase format unless variables are declared as constant in which case they utilize the UPPER_CASE_WITH_UNDERSCORES format.

Recommendation: Naming conventions utilized by the linked statements are adjusted to reflect the correcttype of declaration according to the Solidity style guide.

[NAZ-N2] Incorrect Function Order

Severity: Informational Context: IMIMOProxy.sol#L50, IMIMOProxyFactory.sol#L28, IMIMOProxyRegistry.sol#L29, MIMOProxyRegistry.sol#L40

Description: Function order is incorrect, external functions can not go after external view functions.

Recommendation: Consider moving said functions to their appropiate positions.

[NAZ-N3] Missing Use of solhint-disable-next-line

Severity: Informational Context: MIMOSwap.sol#L52, MIMOSwap.sol#L57, MIMOProxy.sol#L133, MIMOProxy.sol#L136

Description: solhint-disable-next-line can be used for small linter errors to disable these errors.

Recommendation: Consider Using solhint-disable-next-line.

[NAZ-N4] Code Contains Empty Blocks

Severity: Informational Context: MIMOFlashloan.sol#L44

Description: It's best practice that when there is an empty block, to add a comment in the block exmplaining why it's empty.

Recommendation: Consider adding /* Comment on why */ to the empty block.

[NAZ-N5] Comment Line Length

Severity: Informational Context: MIMOEmptyVault.sol#L11, MIMORebalance.sol#L11, IMIMOProxy.sol#L19, MIMOAutoRebalance.sol#L50, MIMOAutoRebalance.sol#L157, MIMOAutoRebalance.sol#L254, MIMOFlashloan.sol#L35-L36,

Description: Max line length must be no more than 120 but many comments are extended past this length.

Recommendation: Consider cutting down the line length below 120.

[NAZ-N6] Missing override Keyword

Severity: Informational Context: MIMOEmptyVault.sol#L116

Description: All public or external methods in a contract must override a definition from an interface.

Recommendation: Consider adding in the override keyword.

[NAZ-N7] Spelling Errors

Severity: Informational Context: MIMOSwap.sol#L13 (mimo => MIMO), MIMOVaultActions.sol#L14 (paking => packing), MIMOVaultActions.sol#L87 (emptyvault => EmptyVault), MIMOAutoRebalance.sol#L21 (autorebalanced => autoRebalanced), MIMOAutoRebalance.sol#L52 (aggegator => aggregator), MIMOAutoRebalance.sol#L254 (allowedVaration => allowedVariation), MIMOManagedRebalance.sol#L48 (aggegator => aggregator), MIMOManagedRebalance.sol#L170 (allowedVaration => allowedVariation)

Description: Spelling errors in comments can cause confusion to both users and developers.

Recommendation: Check all misspellings to ensure they are corrected.

[NAZ-N8] Floating Pragma

Severity: Informational Context: MIMOProxy.sol, MIMOProxyFactory.sol, MIMOProxyRegistry.sol, IMIMOProxy.sol, IMIMOProxyFactory.sol, IMIMOProxyRegistry.sol

Description: Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.

Recommendation: Lock the pragma version.

[NAZ-N9] Multiple Solidity Pragma

Severity: Informational Context: MIMOProxy.sol, MIMOProxyFactory.sol, MIMOProxyRegistry.sol, IMIMOProxy.sol, IMIMOProxyFactory.sol, IMIMOProxyRegistry.sol

Description: It is better to use one Solidity compiler version across all contracts instead of different versions with different bugs and security checks.

Recommendation: Ensure all pragma versions are the same one.

[NAZ-N10] Older Version Pragma

Severity: Informational Context: MIMOProxy.sol, MIMOProxyFactory.sol, MIMOProxyRegistry.sol, IMIMOProxy.sol, IMIMOProxyFactory.sol, IMIMOProxyRegistry.sol

Description: Using very old versions of Solidity prevents benefits of bug fixes and newer security checks. Using the latest versions might make contracts susceptible to undiscovered compiler bugs.

Recommendation: Consider using the most recent version.

[NAZ-N11] Missing or Incomplete NatSpec

Severity: Informational Context: All Contracts

Description: Some functions are missing @notice/@dev NatSpec comments for the function, @param for all/some of their parameters and @return for return values. Given that NatSpec is an important part of code documentation, this affects code comprehension, auditability and usability.

Recommendation: Add in full NatSpec comments for all functions to have complete code documentation for future use.

[NAZ-G1] Use ++index instead of index++ to increment a loop counter

Context: MIMOProxy.sol#L132

Description: Due to reduced stack operations, using ++index saves 5 gas per iteration.

Recommendation: Use ++index to increment a loop counter.

[NAZ-G2] The Increment In For Loop Post Condition Can Be Made Unchecked

Context: MIMOProxy.sol#L132

Description: (This is only relevant if you are using the default solidity checked arithmetic). i++ involves checked arithmetic, which is not required. This is because the value of i is always strictly less than length <= 2**256 - 1. Therefore, the theoretical maximum value of i to enter the for-loop body is 2**256 - 2. This means that the i++ in the for loop can never overflow. Regardless, the overflow checks are performed by the compiler.

Unfortunately, the Solidity optimizer is not smart enough to detect this and remove the checks. One can manually do this by:

for (uint i = 0; i < length; i = unchecked_inc(i)) {
    // do something that doesn't change the value of i
}

function unchecked_inc(uint i) returns (uint) {
    unchecked {
        return i + 1;
    }
}

Note that it’s important that the call to unchecked_inc is inlined. This is only possible for solidity versions starting from 0.8.2.

Recommendation: The increment in the for loop post condition can be made unchecked.

[NAZ-G3] Catching The Array Length Prior To Loop

Context: MIMOProxy.sol#L132

Description: One can save gas by caching the array length (in stack) and using that set variable in the loop. Replace state variable reads and writes within loops with local variable reads and writes. This is done by assigning state variable values to new local variables, reading and/or writing the local variables in a loop, then after the loop assigning any changed local variables to their equivalent state variables.

Recommendation: Simply do something like so before the for loop: uint length = variable.length. Then add length in place of variable.length in the for loop.

[NAZ-G4] Setting The Constructor To Payable

Context: All Contracts

Description: You can cut out 10 opcodes in the creation-time EVM bytecode if you declare a constructor payable. Making the constructor payable eliminates the need for an initial check of msg.value == 0 and saves 21 gas on deployment with no security risks.

Recommendation: Set the constructor to payable.

[NAZ-G5] Function Ordering via Method ID

Context: All Contracts

Description: Contracts most called functions could simply save gas by function ordering via Method ID. Calling a function at runtime will be cheaper if the function is positioned earlier in the order (has a relatively lower Method ID) because 22 gas are added to the cost of a function for every position that came before it. The caller can save on gas if you prioritize most called functions. One could use This tool to help find alternative function names with lower Method IDs while keeping the original name intact.

Recommendation: Find a lower method ID name for the most called functions for example mostCalled() vs. mostCalled_41q() is cheaper by 44 gas.