Back to BGSecurity's contests

Venus Protocol Isolated Pools - BGSecurity's results

Earn, Borrow & Lend on the #1 Decentralized Money Market on the BNB Chain

General Information

Platform: Code4rena

Start Date: 08/05/2023

Pot Size: $90,500 USDC

Total HM: 17

Participants: 102

Period: 7 days

Judge: 0xean

Total Solo HM: 4

Id: 236

League: ETH

Venus Protocol

Findings Distribution

Researcher Performance

Rank: 81/102

Findings: 1

Award: $56.63

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryVenus Protocol

Findings Information

🌟 Selected for report: brgltd

Also found by: 0x73696d616f, 0xAce, 0xSmartContract, 0xWaitress, 0xkazim, 0xnev, Aymen0909, BGSecurity, Bauchibred, Cayo, ChrisTina, Franfran, IceBear, Infect3d, Kose, Lilyjjo, PNS, RaymondFam, Sathish9098, Team_Rocket, Udsen, YakuzaKiawe, YoungWolves, berlin-101, bin2chen, btk, codeslide, fatherOfBlocks, frazerch, kodyvim, koxuan, lfzkoala, lukris02, matrix_0wl, nadin, naman1778, sashik_eth, tnevler, volodya, wonjun, yjrwkk

Awards

56.6347 USDC - $56.63

Labels

bug
grade-b
QA (Quality Assurance)
edited-by-warden
Q-41

External Links

Link to GitHub issue

Introduction

Venus QA report was done by martin and anonresercher, with a main focus on the low severity and non-critical security aspects of the implementation and logic of the project.

Findings Summary

The following issues were found, categorized by their severity:

Findings Summary

IDTitleSeverity
[NC-01]Prefer battle-tested code over reimplementing common patternsNon-Critical
[NC-02]Redundant checkNon-Critical
[NC-03]Event should be emitted for important state changesNon-Critical
[NC-04]Event was emitted earlierNon-Critical
[NC-05]Bad formattingNon-Critical
[NC-05]TyposNon-Critical

[NC-01] Prefer battle-tested code over reimplementing common patterns

Replace the nonReentrant modifier in VToken with the nonReentrant from OpenZeppelin, since it is well-tested and optimized.

[NC-02] Redudant check

The setPoolRegistry function can be called only by the owner, so it is unlikely to be called with address(0), but even if it happens it can be called again with correct data.

54: require(_poolRegistry != address(0), "ProtocolShareReserve: Pool registry address invalid");

111: require(shortfallContractAddress_ != address(0), "Risk Fund: Shortfall contract address invalid");

127: require(pancakeSwapRouter_ != address(0), "Risk Fund: PancakeSwap address invalid");

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/RiskFund/RiskFund.sol

[NC-03] Event should be emitted for important state changes

578: function healAccount(address user) external {

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Comptroller.sol

[NC-04] Event was emitted earlier

The AuctionRestarted event is actually emitted before the _startAuction, event emits should be moved after the creation. Otherwise, it might be incorrectly emitted.

283: emit AuctionRestarted(comptroller, auction.startBlock);

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol

[NC-05] Bad formatting

211: * @param comptroller  Comptroller address(pool).

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/RiskFund/RiskFund.sol

[NC-06] Typos

-- * @return proxyAddress The the Comptroller proxy address
++ * @return proxyAddress The Comptroller proxy address

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Pool/PoolRegistry.sol

#0 - c4-judge

2023-05-18T19:35:46Z

0xean marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter