Platform: Code4rena
Start Date: 22/09/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 175
Period: 14 days
Judge: alcueca
Total Solo HM: 4
Id: 287
League: ETH
Rank: 96/175
Findings: 2
Award: $25.79
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xTheC0der
Also found by: 0x180db, 0xDING99YA, 0xRstStn, 0xTiwa, 0xWaitress, 0xblackskull, 0xfuje, 3docSec, Aamir, Black_Box_DD, HChang26, Hama, Inspecktor, John_Femi, Jorgect, Kek, KingNFT, Kow, Limbooo, MIQUINHO, MrPotatoMagic, NoTechBG, Noro, Pessimistic, QiuhaoLi, SovaSlava, SpicyMeatball, T1MOH, TangYuanShen, Vagner, Viktor_Cortess, Yanchuan, _eperezok, alexweb3, alexxander, ast3ros, ayden, bin2chen, blutorque, btk, ciphermarco, ether_sky, gumgumzum, gztttt, hals, imare, its_basu, joaovwfreire, josephdara, klau5, kodyvim, ladboy233, marqymarq10, mert_eren, minhtrng, n1punp, nobody2018, oada, orion, peakbolt, peritoflores, perseverancesuccess, pfapostol, rvierdiiev, stuxy, tank, unsafesol, ustas, windhustler, zambody, zzzitron
0.1127 USDC - $0.11
https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L85
payableCall in virtualAccount is not protected by requiresApprovedCaller as the function call while doing the exact same things.
Impact: people who is not able to call call can now call payableCall just with a msg.value of 0, making the accessControl useless
NA
add requiresApprovedCaller on payableCall.
Access Control
#0 - c4-pre-sort
2023-10-08T14:33:48Z
0xA5DF marked the issue as duplicate of #888
#1 - c4-pre-sort
2023-10-08T14:40:56Z
0xA5DF marked the issue as sufficient quality report
#2 - c4-judge
2023-10-26T11:32:10Z
alcueca changed the severity to 3 (High Risk)
#3 - c4-judge
2023-10-26T11:32:15Z
alcueca marked the issue as satisfactory
🌟 Selected for report: MrPotatoMagic
Also found by: 0xAadi, 0xDING99YA, 0xDemon, 0xRstStn, 0xSmartContract, 0xStriker, 0xWaitress, 0xbrett8571, 0xfuje, 0xsagetony, 0xsurena, 33BYTEZZZ, 3docSec, 7ashraf, ABA, ABAIKUNANBAEV, Aamir, Audinarey, Bauchibred, Black_Box_DD, Daniel526, DanielArmstrong, DanielTan_MetaTrust, Dinesh11G, Eurovickk, Franklin, Inspecktor, John, Jorgect, Joshuajee, K42, Kek, Koolex, LokiThe5th, MIQUINHO, Myd, NoTechBG, QiuhaoLi, SanketKogekar, Sathish9098, Sentry, Soul22, SovaSlava, Stormreckson, Tendency, Topmark, Udsen, V1235816, Viktor_Cortess, Viraz, Yanchuan, ZdravkoHr, Zims, albahaca, albertwh1te, alexweb3, alexxander, ast3ros, audityourcontracts, bareli, bin2chen, bronze_pickaxe, c0pp3rscr3w3r, cartlex_, castle_chain, chaduke, debo, ether_sky, gumgumzum, imare, its_basu, jaraxxus, jasonxiale, josephdara, kodyvim, ladboy233, lanrebayode77, lsaudit, mert_eren, minhtrng, n1punp, nadin, niroh, nmirchev8, orion, peakbolt, perseverancesuccess, pfapostol, ptsanev, rvierdiiev, saneryee, shaflow2, te_aut, terrancrypt, twcctop, unsafesol, ustas, versiyonbir, windhustler, yongskiws, zhaojie, ziyou-
25.6785 USDC - $25.68
[L-1] the strict equity check on replenishReserves is unnessary as some strategies may create additional withdrawal due to excess return.
PortStrategy operates on port balance of a token to incur yield, if applicable. the port tokens can be called back through a call of withdraw of the strategy contract. however the balance post-withdrawal is required to be exactly equal to the sum of before + the required withdrawal, this creates a problem for strategy that would have internal pricing and would withdraw additional fund.
Another issue is the strategy has no way to report gains to the debt, so that there is no way to increase the overall token balance recorded in the BranchPort, even if the strategy makes a profit based on its management.
require(ERC20(_token).balanceOf(address(this)) - currBalance == _amount, "Port Strategy Withdraw Failed");
** Recommendation enforce greater than equal to.
require(ERC20(_token).balanceOf(address(this)) - currBalance >= _amount, "Port Strategy Withdraw Failed");
[L-2] addStrategyToken in BranchPort should check duplicate of _token.
addStrategyToken would push the token to an array of strategyTokens, and setting the token specific minimumReserveRatio. Hence it should add checks of duplcate to prevent overwritting an existing ones.
function addStrategyToken(address _token, uint256 _minimumReservesRatio) external override requiresCoreRouter { if (_minimumReservesRatio >= DIVISIONER || _minimumReservesRatio < MIN_RESERVE_RATIO) { revert InvalidMinimumReservesRatio(); } strategyTokens.push(_token); getMinimumTokenReserveRatio[_token] = _minimumReservesRatio; isStrategyToken[_token] = true; emit StrategyTokenAdded(_token, _minimumReservesRatio); }
function addStrategyToken(address _token, uint256 _minimumReservesRatio) external override requiresCoreRouter { +++ require(getMinimumTokenReserveRatio[_token] == 0, "token already exists");
#0 - c4-pre-sort
2023-10-15T13:20:40Z
0xA5DF marked the issue as sufficient quality report
#1 - c4-judge
2023-10-21T13:00:11Z
alcueca marked the issue as grade-a