Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 111/147
Findings: 1
Award: $54.31
๐ Selected for report: 0
๐ Solo Findings: 0
๐ Selected for report: zzzitron
Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas
54.3128 DAI - $54.31
Deprecated in favor of safeIncreaseAllowance() and safeDecreaseAllowance(). If only setting the initial allowance to the value that means infinite, safeIncreaseAllowance() can be used instead
File: src/policies/BondCallback.sol 57โ ohm.safeApprove(address(MINTR), type(uint256).max);
167โ ohm.safeApprove(address(MINTR), type(uint256).max);
It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelinโs safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.
File: src/policies/Governance.sol 259โ VOTES.transferFrom(msg.sender, address(this), userVotes); โฎโ---------------------------------------- 312โ VOTES.transferFrom(address(this), msg.sender, userVotes); โฎโ----------------------------------------
The linked function arguments are set as memory yet are declared in external functions.
File: src/modules/PRICE.sol: 205 function initialize(uint256[] memory startObservations_, uint48 lastObservationTime_) 206: external File: src/policies/BondCallback.sol: 151 /// @param tokens_ - Array of tokens to send 152: function batchToTreasury(ERC20[] memory tokens_) external onlyRole("callback_admin") { File: src/policies/Governance.sol: 70 function requestPermissions() 71: external 72 view 162 string memory proposalURI_ 163: ) external { File: src/policies/PriceConfig.sol: 45 function initialize(uint256[] memory startObservations_, uint48 lastObservationTime_) 46: external 47 onlyRole("price_admin") File: src/policies/TreasuryCustodian.sol 53โ function revokePolicyApprovals(address policy_, ERC20[] memory tokens_) external { 54โ if (Policy(policy_).isActive()) revert PolicyStillActive();
src/policies/Operator.sol: 656 /// Get latest price 657: /// TODO determine if this should use the last price from the MA or recalculate the current price, ideally last price is ok since it should have been just updated and should include check against secondary? 658 /// Current price is guaranteed to be up to date, but may be a bad value if not checked? src/policies/TreasuryCustodian.sol: 50 // Anyone can call to revoke a deactivated policy's approvals. 51: // TODO Currently allows anyone to revoke any approval EXCEPT activated policies. 52: // TODO must reorg policy storage to be able to check for deactivated policies. 53 function revokePolicyApprovals(address policy_, ERC20[] memory tokens_) external { 55 56: // TODO Make sure `policy_` is an actual policy and not a random address. 57