Platform: Code4rena
Start Date: 24/03/2023
Pot Size: $49,200 USDC
Total HM: 20
Participants: 246
Period: 6 days
Judge: Picodes
Total Solo HM: 1
Id: 226
League: ETH
Rank: 182/246
Findings: 1
Award: $13.13
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: brgltd
Also found by: 0x3b, 0xAgro, 0xGusMcCrae, 0xNorman, 0xRajkumar, 0xSmartContract, 0xTraub, 0xWagmi, 0xWaitress, 0xffchain, 0xhacksmithh, 0xkazim, 0xnev, 3dgeville, ArbitraryExecution, Aymen0909, BRONZEDISC, Bason, Bloqarl, BlueAlder, Brenzee, CodeFoxInc, CodingNameKiki, Cryptor, DadeKuma, DevABDee, Diana, Dug, Englave, Gde, Haipls, HollaDieWaldfee, Ignite, Infect3d, Jerry0x, Josiah, Kaysoft, Koko1912, KrisApostolov, Lavishq, LeoGold, Madalad, PNS, Rappie, RaymondFam, RedTiger, Rickard, Rolezn, Sathish9098, SunSec, T1MOH, UdarTeam, Udsen, Viktor_Cortess, Wander, adriro, ak1, alejandrocovrr, alexzoid, arialblack14, ayden, bin2chen, brevis, btk, c3phas, carlitox477, catellatech, ch0bu, chaduke, ck, climber2002, codeslide, descharre, dingo2077, ernestognw, fatherOfBlocks, favelanky, georgits, helios, hl_, inmarelibero, juancito, ks__xxxxx, lopotras, lukris02, m_Rassska, mahdirostami, maxper, nadin, navinavu, nemveer, p_crypt0, peanuts, pipoca, pixpi, qpzm, rbserver, reassor, roelio, rotcivegaf, scokaf, siddhpurakaran, slvDev, smaul, tnevler, tsvetanovv, turvy_fuzz, vagrant, wen, yac, zzzitron
13.1298 USDC - $13.13
When using the setPauseStaking and setPauseUnstaking function, it's better to check if the input parameters are different than the global ones. So unnecessary changes will be discarded and confusing events won't be out:
function setPauseStaking(bool _pause) external onlyOwner { require(_pause != pauseStaking, " pauseStaking unchanged!"); pauseStaking = _pause; emit StakingPaused(pauseStaking); } /** @notice - Owner only function that enables/disables the unstake function @param _pause - true disables unstaking / false enables unstaking */ function setPauseUnstaking(bool _pause) external onlyOwner { require(_pause != pauseUnstaking, "pauseUnstaking unchanged!"); pauseUnstaking = _pause; emit UnstakingPaused(pauseUnstaking); }
function adjustWeight( uint256 _derivativeIndex, uint256 _weight ) external onlyOwner { require(__derivativeIndex < derivativeCount, "derivative does not exist!") weights[_derivativeIndex] = _weight; uint256 localTotalWeight = 0; for (uint256 i = 0; i < derivativeCount; i++) localTotalWeight += weights[i]; totalWeight = localTotalWeight; emit WeightChange(_derivativeIndex, _weight); }
Lack of input checks on setMinAmount() and setMaxAmount()
setMinAmount(),setMaxAmount() don't have any checks if minAmount and maxAmount are consistent. If they are not, then stake() will always revert.
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L214-L217
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L223-L226
Let's assume that current minAmount = 10 * 10 ** 18 (which is 10 ETH) and maxAmount = 30* 10 ** 18(30 ETH), then the owner forgot to check the values of maxAmount before setting minAmount to 32 ETH. Then the stake function will always revert due to the check that
require(msg.value >= minAmount, "amount too low"); require(msg.value <= maxAmount, "amount too high");
Add checkes in both set functions to make sure minAmount<= maxAmount
function setMinAmount(uint256 _minAmount) external onlyOwner { require(_minAmount <= maxAmount, "_minAmount is larger than maxAmount!"); minAmount = _minAmount; emit ChangeMinAmount(minAmount); }
function setMaxAmount(uint256 _maxAmount) external onlyOwner { require(_maxAmount >= minAmount, "_maxAmount is less than minAmount!"); maxAmount = _maxAmount; emit ChangeMaxAmount(maxAmount); }
#0 - c4-sponsor
2023-04-10T19:17:07Z
elmutt marked the issue as sponsor confirmed
#1 - c4-judge
2023-04-24T18:52:54Z
Picodes marked the issue as grade-b