Back to BGSecurity's contests

Frankencoin - BGSecurity's results

A decentralized and fully collateralized stablecoin.

General Information

Platform: Code4rena

Start Date: 12/04/2023

Pot Size: $60,500 USDC

Total HM: 21

Participants: 199

Period: 7 days

Judge: hansfriese

Total Solo HM: 5

Id: 231

League: ETH

Frankencoin

Findings Distribution

Researcher Performance

Rank: 160/199

Findings: 1

Award: $22.60

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFrankencoin

Findings Information

🌟 Selected for report: juancito

Also found by: 0xAgro, 0xNorman, 0xSmartContract, 0xStalin, 0xTheC0der, 0xWaitress, 0xhacksmithh, 0xnev, 3dgeville, 8olidity, Arz, Aymen0909, BGSecurity, BRONZEDISC, Bauchibred, Bauer, BenRai, ChainHunters, ChrisTina, CodeFoxInc, DedOhWale, DishWasher, EloiManuel, IceBear, Inspex, Jorgect, Kaysoft, LeoGold, LewisBroadhurst, Madalad, MiloTruck, MohammedRizwan, Nyx, Polaris_tow, RaymondFam, SaharDevep, SanketKogekar, Sathish9098, SolidityATL, Udsen, W0RR1O, aria, ayden, berlin-101, bin2chen, catellatech, codeslide, crc32, decade, descharre, evmboi32, eyexploit, fatherOfBlocks, georgits, giovannidisiena, joestakey, karanctf, kodyvim, ltyu, lukris02, m9800, matrix_0wl, mov, mrpathfindr, nadin, niser93, p0wd3r, parlayan_yildizlar_takimi, pavankv, pontifex, qpzm, ravikiranweb3, rbserver, santipu_, shealtielanz, slvDev, tnevler, wonjun, xmxanuel, yixxas

Awards

22.6007 USDC - $22.60

Labels

bug
grade-b
QA (Quality Assurance)
Q-86

External Links

Link to GitHub issue

Introduction

Frankencoin QA report was done by martin and anonresercher, with a main focus on the low severity and non-critical security aspects of the implementaion and logic of the project.

Findings Summary

The following issues were found, categorized by their severity:

Findings Summary

IDTitleSeverity
[L-01]Wrong checksLow
[L-02]Event not emitted for important state changeLow
[L-03]Same event was called for different actionsLow
[L-04]Position with Address(0x0) can be registeredLow
[NC-01]Misleading name and commentNon-Critical
[NC-02]Useless checkNon-Critical
[NC-03]Ownable and MathUtil should be marked as abstractNon-Critical

[L-01] Wrong checks

The second condition (totalSupply() > 0) is not in place and should be separated with a different custom error or completely removed.

main/contracts/Frankencoin.sol

84: if (_applicationPeriod < MIN_APPLICATION_PERIOD && totalSupply() > 0) revert PeriodTooShort();
85: if (_applicationFee < MIN_FEE  && totalSupply() > 0) revert FeeTooLow();

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Frankencoin.sol

[L-02] Event not emitted for important state change

Consider adding an event for position registration (for example PositionRegistered).

main/contracts/Frankencoin.sol

125: function registerPosition(address _position) override external {

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Frankencoin.sol

[L-03] Same event was called for different actions

constructor and initializeClone both emit the PositionOpened event which is wrong, consider adding a separate event for the initializeClone function.

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Position.sol

[L-04] Position with Address(0x0) can be registered

Wrong data can be added by everyone in the positions mapping.

main/contracts/Frankencoin.sol

125: function registerPosition(address _position) override external {

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Frankencoin.sol

[NC-01] Misleading name and comment

Even when the second part of the check is false the msg.sender is still a minter. Consider renaming the function and rewriting the comment.

main/contracts/Frankencoin.sol

290: /**
291: * Returns true if the address is an approved minter.
292: */
293: function isMinter(address _minter) override public view returns (bool){
294:    return minters[_minter] != 0 && block.timestamp >= minters[_minter];
295: }

isPosition is really bad naming, suggesting a boolean to be returned. Consider renaming the function.

main/contracts/Frankencoin.sol

300: function isPosition(address _position) override public view returns (address){

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Frankencoin.sol

[NC-02] Useless check

Usage of the minterOnly modifier is recommended.

main/contracts/Frankencoin.sol

125: function registerPosition(address _position) override external {

126: if (!isMinter(msg.sender)) revert NotMinter();

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Frankencoin.sol#L83

[NC-03] Ownable and MathUtil should be marked as abstract

Contracts must be marked as abstract because we only use their functions by inheriting the contract and not instantiating it.

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Ownable.sol

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/MathUtil.sol

#0 - 0xA5DF

2023-04-26T19:20:05Z

L01, L04 are wrong, the rest are NC

#1 - c4-judge

2023-05-16T16:51:02Z

hansfriese marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter