prePO contest - 0xwags's results

Gain exposure to pre-IPO companies & pre-token projects.

General Information

Platform: Code4rena

Start Date: 17/03/2022

Pot Size: $30,000 USDC

Total HM: 8

Participants: 43

Period: 3 days

Judge: gzeon

Total Solo HM: 5

Id: 100

League: ETH

prePO

Findings Distribution

Researcher Performance

Rank: 25/43

Findings: 2

Award: $80.50

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository prePO

Findings Information

🌟 Selected for report: defsec

Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xkatana, 0xwags, CertoraInc, Funen, GeekyLumberjack, GreyArt, IllIllI, Kenshin, Ruhum, TerrierLover, WatchPug, berndartmueller, bugwriter001, cccz, cmichel, csanuragjain, hake, kenta, kirk-baird, leastwood, minhquanym, oyc_109, peritoflores, rayn, remora, rfa, robee, saian, samruna, sorrynotsorry, wuwe1

Awards

51.8842 USDC - $51.88

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

Even though a require statement (that redemption fee!=0) is inconsequential on its own. Its omission would be detrimental in the case of : https://github.com/code-423n4/2022-03-prepo/blob/f63584133a0329781609e3f14c3004c1ca293e71/contracts/core/PrePOMarket.sol#L167

Same for:

https://github.com/code-423n4/2022-03-prepo/blob/f63584133a0329781609e3f14c3004c1ca293e71/contracts/core/Collateral.sol#L166

In setRedemptionFee(), there's only a requirement that redemption fee is less than FEE_LIMIT but the check on line 167 would still pass if the redemption fee was accidentally set to 0 (it still fulfills the condition that it is less than the Fee limit) but this causes no fee to be sent to the treasury and the collateralOwed (which is sent to msg.sender) would be much larger than expected.

PS. After speaking to one of the devs, it was stated that this issue wouldn't be valid as it is just to prevent small amounts being passed in to avoid a fee. It wasn't clear from the documentation that the team wanted to implement a zero fee (From #mloch137: ”We want to be able to set the redemption fee to zero if we wish, that is as intended”). I was told to proceed in submitting this issue as other team members might consider it to be valid.