Platform: Code4rena
Start Date: 25/11/2021
Pot Size: $80,000 USDC
Total HM: 35
Participants: 32
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 27
Id: 59
League: ETH
Rank: 23/32
Findings: 1
Award: $467.26
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: 0xwags
367.919 USDC - $367.92
0xwags
Since users forfeited awards will be shared between either the treasury and the swing trader, there should be a zero address in the initialize() function to ensure rewards are not lost and thereby affecting Malt's collateralisation and other such funding mechanism.
This will have implications for safetransfer() functions in lines 50 & 54 in handleForfeit().
Manual Analysis.
require(treasuryMultisig&& swingTrader ! =address(0), "0x0");
#0 - GalloDaSballo
2022-01-09T22:56:07Z
Heavily disagree with severity on this finding
The finding is valid, but as per most auditing firms, lack of input validation is a low severity finding.
The consequences showed by the warden are not as dire as they sound as calling as doing a CALL on the address 0 will revert
Will mark this as Low Seveirty
0xwags
Lines 88-94 & lines 104-109, emergencyWithdraw() & partialwithdraw() are critical functions that requires an event as funds will be withdrawn from both.
Additionally, there needs to be a zero address to ensure that funds are not sent to this address which will result in a loss of funds during an emergency withdrawal or in the case of a partial withdrawal.
Manual Analysis
Include events for both functions. Also, before lines 90 & 104, add require(destination! = address(0));
#0 - 0xScotch
2021-12-10T01:12:29Z
#64
#1 - GalloDaSballo
2022-01-09T22:58:07Z
Duplicate of #64