Platform: Code4rena
Start Date: 11/01/2023
Pot Size: $60,500 USDC
Total HM: 6
Participants: 69
Period: 6 days
Judge: Trust
Total Solo HM: 2
Id: 204
League: ETH
Rank: 42/69
Findings: 1
Award: $36.24
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: CodingNameKiki
Also found by: 0x1f8b, 0x52, 0x5rings, 0xAgro, 0xSmartContract, 0xcm, 0xkato, 2997ms, Aymen0909, BClabs, BPZ, BRONZEDISC, Bauer, Bnke0x0, Deekshith99, IllIllI, Josiah, Kaysoft, RaymondFam, Rolezn, SaeedAlipoor01988, Tajobin, Udsen, Viktor_Cortess, adriro, arialblack14, betweenETHlines, btk, chaduke, chrisdior4, cryptphi, csanuragjain, cygaar, defsec, descharre, erictee, gzeon, hansfriese, horsefacts, joestakey, koxuan, lukris02, luxartvinsec, nicobevi, oyc_109, pavankv, peanuts, rbserver, scokaf, shark, tnevler, tsvetanovv, zaskoh
36.2377 USDC - $36.24
| Issue | |
|---|---|
| LOW-01 | The divisor may be 0 |
| LOW-02 | Validate the cash decimals >= collateral decimals. |
| Issue | |
|---|---|
| NC-1 | Stop using V == 27 |
| NC-2 | Lines are too long |
| NC-3 | Solidity versions should be consistent |
| NC-4 | No same value input control |
| NC-5 | Check the Address 0 |
We don't have the validtion of epochDuration value. If epochDuration is 0, the flow will be reverted without a valid error message.
Proof Of Concept https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/cash/CashManager.sol#L176
Recommended Mitigation Steps Add a validation of this value to make sure it is not 0.
cash decimals >= collateral decimals.In the annotation, we assume ````cash decimals >= collateral decimals```, but actually we need one line to validate it.
Proof Of Concept
https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/cash/CashManager.sol#L178-L182
Recommended Mitigation Steps
Validate the cash decimals >= collateral decimals.
Proof Of Concept
https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/cash/kyc/KYCRegistry.sol#L87
Recommended Mitigation Steps See this reference: https://twitter.com/alexberegszaszi/status/1534461421454606336?s=20&t=H0Dv3ZT2bicx00hLWJk7Fg
Usually lines in source code are limited to 80 characters. Today’s screens are much larger so it’s reasonable to stretch this in some cases. Since the files will most likely reside in GitHub, and GitHub starts using a scroll bar in all cases when the length is over 164 characters, the lines below should be split when they reach that length.
Reference: https://docs.soliditylang.org/en/v0.8.10/style-guide.html#maximum-line-length
Proof Of Concept
Recommended Mitigation Steps Follow the recommended solidity doc and reduce the lengths of codes.
Most of solidity versions in the files are pragma solidity 0.8.16;, but in
cErc20ModifiedDelegator.sol, the value is pragma solidity ^0.5.12;
Proof Of Concept
https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/tokens/cErc20ModifiedDelegator.sol Recommended Mitigation Steps Make the versions consistent
function setMintFee( uint256 _mintFee ) external override onlyRole(MANAGER_ADMIN) { if (_mintFee >= BPS_DENOMINATOR) { revert MintFeeTooLarge(); } uint256 oldMintFee = mintFee; mintFee = _mintFee; emit MintFeeSet(oldMintFee, _mintFee); }
Recommended Mitigation Steps Add code like this; if (mintFee ==_mintFee);
function setFeeRecipient( address _feeRecipient ) external override onlyRole(MANAGER_ADMIN) { address oldFeeRecipient = feeRecipient; feeRecipient = _feeRecipient; emit FeeRecipientSet(oldFeeRecipient, _feeRecipient); }
Recommended Mitigation Steps if(_feeRecipient == address(0)) revert;
#0 - c4-judge
2023-01-22T19:07:40Z
trust1995 marked the issue as grade-b