Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $55,000 USDC
Total HM: 29
Participants: 88
Period: 5 days
Judge: gzeon
Total Solo HM: 7
Id: 134
League: ETH
Rank: 37/88
Findings: 3
Award: $180.67
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: kenzo
Also found by: 0x52, 0xkowloon, GalloDaSballo, Metatron, WatchPug, cccz, hansfriese, kirk-baird
54.27 USDC - $54.27
Fees would not have been charged to msg.sender, while the fee can still be withdrawn through withdrawFee, causing missing funds.
The function lend only transfers lent amount of underlying tokens from msg.sender to the Lender contract, which lent is the sum of amountLent and each amountLent is equal to amount - fee. Meanwhile, fees[u] is increased by totalFee, which is the sum of fee calculated by calculateFee(amount). The contract records an intake of lent + totalFee, but has only charged lent, causing an accounting error and a loss of funds.
The function should instead transfer lent + totalFee.
Safe.transferFrom(IERC20(u), msg.sender, address(this), lent + totalFee);
#0 - KenzoAgada
2022-06-28T08:16:07Z
Duplicate of #201
🌟 Selected for report: defsec
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkowloon, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, GimelSec, IllIllI, JC, Kenshin, Kulk0, Lambda, Limbooo, MadWookie, Metatron, Picodes, Soosh, StErMi, TomJ, WatchPug, Waze, Yiko, _Adam, ak1, asutorufos, aysha, bardamu, catchup, datapunk, delfin454000, dipp, fatherOfBlocks, grGred, hake, hansfriese, hyh, joestakey, kebabsec, kenzo, kirk-baird, oyc_109, pashov, poirots, rfa, robee, saian, sashik_eth, shenwilly, simon135, slywaters, z3s, zeesaw, zer0dot
63.9425 USDC - $63.94
redeem that calls Redeemer’s function authRedeem, which has its own Redeem event.principalToken(u, m); is required. The extra (u, m); looks like a careless error that should be removed. It doesn’t do anything.Summary: setAdmin should be a 2-step function to prevent setting the wrong address.
Location:
https://github.com/code-423n4/2022-06-illuminate/blob/3ca41a9f529980b17fdc67baf8cbee5a8035afab/lender/Lender.sol#L129
https://github.com/code-423n4/2022-06-illuminate/blob/92cbb0724e594ce025d6b6ed050d3548a38c264b/redeemer/Redeemer.sol#L62
https://github.com/code-423n4/2022-06-illuminate/blob/92cbb0724e594ce025d6b6ed050d3548a38c264b/marketplace/MarketPlace.sol#L109
Issue: setAdmin is recommended to follow a 2-step approach: 1) The current privileged role proposes a new address for the change 2) The newly proposed address then claims the privileged role in a separate transaction. This prevents setting the wrong admin address and thus losing admin control of the contracts forever.
See Uniswap’s governance contract for some examples. https://github.com/Uniswap/governance/blob/master/contracts/Timelock.sol#L53 https://github.com/Uniswap/governance/blob/master/contracts/Timelock.sol#L45
setAdmin function is missing an event log. For functions that change critical contract parameters, it is important to emit an event so that system monitors can pick up the change and adjust their engagement with the system accordingly.(uint256, uint256, uint256), while the Natspec declare only the return of a single uint256. It is missing documentation for the rest of the uint256.setAdmin, for functions that change critical contract parameters, it is important to emit an event so that system monitors can pick up the change and adjust their engagement with the system accordingly.Summary: Redeemer.redeem should check o’s token balance instead of msg.sender’s.
Location:
https://github.com/code-423n4/2022-06-illuminate/blob/3ca41a9f529980b17fdc67baf8cbee5a8035afab/redeemer/Redeemer.sol#L120
Issue: Since the function calls token.burn(o, amount); to burn principal tokens from o, it does not make sense to get the amount from token.balanceOf(msg.sender). It should instead get it from token.balanceOf(“o”).
🌟 Selected for report: BowTiedWardens
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xkowloon, Bnke0x0, ElKu, Fitraldys, Funen, GalloDaSballo, IllIllI, JC, Kaiziron, Lambda, MadWookie, Noah3o6, Nyamcil, RoiEvenHaim, TomJ, Tomio, UnusualTurtle, Waze, _Adam, ajtra, asutorufos, bardamu, c3phas, catchup, datapunk, defsec, delfin454000, fatherOfBlocks, grGred, hake, hansfriese, hyh, ignacio, joestakey, kebabsec, ladboy233, oyc_109, pashov, poirots, rfa, robee, sach1r0, samruna, sashik_eth, simon135, slywaters, z3s, zer0dot
62.4602 USDC - $62.46
Summary: redeem function should not prematurely get msg.sender token balance
Location: https://github.com/code-423n4/2022-06-illuminate/blob/3ca41a9f529980b17fdc67baf8cbee5a8035afab/redeemer/Redeemer.sol#L122
Issue: The function gets msg.sender’s balance before checking the token’s maturity. It would have been gas wasted if the token has not reached maturity as the “amount” variable is not used. Move uint256 amount = token.balanceOf(msg.sender) to after the maturity check.