Platform: Code4rena
Start Date: 07/06/2022
Pot Size: $75,000 USDC
Total HM: 11
Participants: 77
Period: 7 days
Judge: gzeon
Total Solo HM: 7
Id: 124
League: ETH
Rank: 60/77
Findings: 1
Award: $88.16
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: berndartmueller
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Bronicle, Chom, Cityscape, Deivitto, Funen, GimelSec, GreyArt, IllIllI, JC, Lambda, Meera, Nethermind, Picodes, PierrickGT, Ruhum, Sm4rty, Tadashi, TerrierLover, TomJ, Trumpero, Waze, _Adam, antonttc, ayeslick, c3phas, catchup, cccz, cloudjunky, cryptphi, csanuragjain, delfin454000, dipp, ellahi, fatherOfBlocks, hake, hansfriese, hyh, joestakey, jonah1005, kenzo, minhquanym, oyc_109, sach1r0, saian, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, z3s, zzzitron
88.1603 USDC - $88.16
Proxies are recommended to be used without having a constructor due to the fact of how the data storage slots are allocated during deployment and that they can't be accessed after the deployment by the proxies. Although no further vulnerabilities where found regarding this topic, Openzeppelin suggests not using constructors while creating implementations.
Contracts may need to be redeployed if any of the addresses required as input is the address(0) on the pointed lines of code. Adding checks to prevent that scenario may solve this potential issue.
Currently the deployWrapper function on WrappedfCashFactory.sol does not check or implements a deployment cooldown to deploy another wfCash contract with a different maturity for the same currencyId. If user A frontruns other users while deploying, it may waste the legit deployers gas. Although deploying a wrapped contract does not grant any further privileges, this may frustrate other users who tried to deploy and waste their gas. This is not technically a denial of service because once the contract is deployed everyone will be able to interact with the maturity-id coin contract, but has the same principle that impedes others to deploy a contract.
def test_waste_others_gas(factory, env): markets = env.notional.getActiveMarkets(2) for times in range(10): #Using any valid maturity at most will pass the deployment requirements maturity = markets[0][1] - 86400 * times // txn = factory.deployWrapper(2, maturity, {'from': env.whales["DAI_CONTRACT"]})