Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 38/101
Findings: 1
Award: $33.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
33.5953 USDC - $33.60
| Issue | Instances | |
|---|---|---|
| 1 | Immutable addresses lack zero address address(0) checks | 1 |
| 2 | Missing hasNotSigned modifier check in the signAndClaim function | 1 |
| 3 | Adding a return statement when the function defines a named return variable is redundant | 1 |
| 4 | Related data should be grouped in a struct | 1 |
address(0) checks :Constructors should check the address written in an immutable address variable is not the zero address
Instances include:
File: contracts/shutdown/redeem/TribeRedeemer.sol
address public immutable redeemedToken;
Add non-zero address checks in the constructors for the instances aforementioned.
hasNotSigned modifier check in the signAndClaim function :The function signAndClaim should have a hasNotSigned modifier check just like the signAndClaimAndRedeem function to prevent already signed users from signing again.
Instances include:
File: contracts/shutdown/fuse/RariMerkleRedeemer.sol
Add the hasNotSigned modifier check in the function signAndClaim as follow :
function signAndClaim( bytes calldata signature, address[] calldata cTokens, uint256[] calldata amounts, bytes32[][] calldata merkleProofs ) external override hasNotSigned nonReentrant
return statement when the function defines a named return variable is redundant:Instances include:
File: contracts/shutdown/fuse/RariMerkleRedeemer.sol
function previewRedeem(address cToken, uint256 amount)
The named return varibale should either be removed or used instead of the final return statement as follow :
function previewRedeem(address cToken, uint256 amount) public view override returns (uint256 baseTokenAmount) { // Each ctoken exchange rate is stored as how much you should get for 1e18 of the particular cToken // Thus, we divide by 1e18 when returning the amount that a person should get when they provide // the amount of cTokens they're turning into the contract baseTokenAmount = (cTokenExchangeRates[cToken] * amount) / 1e18; }
When there are mappings that use the same key value, having separate fields is error prone, for instance in case of deletion or with future new fields.
Instances include:
File: contracts/shutdown/fuse/MultiMerkleRedeemer.sol
42 mapping(address => bytes) public userSignatures; 46 mapping(address => mapping(address => uint256)) public redemptions; 50 mapping(address => mapping(address => uint256)) public claims;
Those mappings should be refactored into the following struct and mapping for example :
struct UserData { bytes userSignature; mapping(address => uint256) redemptions; mapping(address => uint256) claims; } mapping(address => UserData) public usersData;