Back to BRONZEDISC's contests

Asymmetry contest - BRONZEDISC's results

A protocol to help diversify and decentralize liquid staking derivatives.

General Information

Platform: Code4rena

Start Date: 24/03/2023

Pot Size: $49,200 USDC

Total HM: 20

Participants: 246

Period: 6 days

Judge: Picodes

Total Solo HM: 1

Id: 226

League: ETH

Asymmetry Finance

Findings Distribution

Researcher Performance

Rank: 167/246

Findings: 1

Award: $13.13

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAsymmetry Finance

Findings Information

🌟 Selected for report: brgltd

Also found by: 0x3b, 0xAgro, 0xGusMcCrae, 0xNorman, 0xRajkumar, 0xSmartContract, 0xTraub, 0xWagmi, 0xWaitress, 0xffchain, 0xhacksmithh, 0xkazim, 0xnev, 3dgeville, ArbitraryExecution, Aymen0909, BRONZEDISC, Bason, Bloqarl, BlueAlder, Brenzee, CodeFoxInc, CodingNameKiki, Cryptor, DadeKuma, DevABDee, Diana, Dug, Englave, Gde, Haipls, HollaDieWaldfee, Ignite, Infect3d, Jerry0x, Josiah, Kaysoft, Koko1912, KrisApostolov, Lavishq, LeoGold, Madalad, PNS, Rappie, RaymondFam, RedTiger, Rickard, Rolezn, Sathish9098, SunSec, T1MOH, UdarTeam, Udsen, Viktor_Cortess, Wander, adriro, ak1, alejandrocovrr, alexzoid, arialblack14, ayden, bin2chen, brevis, btk, c3phas, carlitox477, catellatech, ch0bu, chaduke, ck, climber2002, codeslide, descharre, dingo2077, ernestognw, fatherOfBlocks, favelanky, georgits, helios, hl_, inmarelibero, juancito, ks__xxxxx, lopotras, lukris02, m_Rassska, mahdirostami, maxper, nadin, navinavu, nemveer, p_crypt0, peanuts, pipoca, pixpi, qpzm, rbserver, reassor, roelio, rotcivegaf, scokaf, siddhpurakaran, slvDev, smaul, tnevler, tsvetanovv, turvy_fuzz, vagrant, wen, yac, zzzitron

Awards

13.1298 USDC - $13.13

Labels

bug
grade-b
QA (Quality Assurance)
sponsor confirmed
edited-by-warden
Q-39

External Links

Link to GitHub issue

QA

Function Visibility [1]

  • Order of Functions: Ordering helps readers identify which functions they can call and to find the constructor and fallback definitions easier. Functions should be grouped according to their visibility and ordered: constructor, receive function (if exists), fallback function (if exists), public, external, internal, private. Within a grouping, place the view and pure functions last.

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol

// receive function should come before all the other functions
246:    receive() external payable {}

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/SfrxEth.sol

// public functions coming after external ones
44:    function name() public pure returns (string memory) {
111:    function ethPerDerivative(uint256 _amount) public view returns (uint256) {
122:    function balance() public view returns (uint256) {

// receive function should come before all the other functions
126:    receive() external payable {}

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol

// public functions coming after external ones
50:    function name() public pure returns (string memory) {
211:    function ethPerDerivative(uint256 _amount) public view returns (uint256) {
221:    function balance() public view returns (uint256) {


// external functions coming after private functions
107:    function withdraw(uint256 amount) external onlyOwner {
156:    function deposit() external payable onlyOwner returns (uint256) {


// receive function should come before all the other functions
244:    receive() external payable {}

natSpec missing [2]

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol

21:    event ChangeMinAmount(uint256 indexed minAmount);
22:    event ChangeMaxAmount(uint256 indexed maxAmount);
23:    event StakingPaused(bool indexed paused);
24:    event UnstakingPaused(bool indexed paused);
25:    event SetMaxSlippage(uint256 indexed index, uint256 slippage);
26:    event Staked(address indexed recipient, uint ethIn, uint safEthOut);
27:    event Unstaked(address indexed recipient, uint ethOut, uint safEthIn);
28:    event WeightChange(uint indexed index, uint weight);
29:    event DerivativeAdded(
34:    event Rebalanced();

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/WstEth.sol

// @return missing
41:    function name() public pure returns (string memory) {
73:    function deposit() external payable onlyOwner returns (uint256) {
93:    function balance() public view returns (uint256) {

// @param missing
48:    function setMaxSlippage(uint256 _slippage) external onlyOwner {
56:    function withdraw(uint256 _amount) external onlyOwner {

// @param and @return missing
86:    function ethPerDerivative(uint256 _amount) public view returns (uint256) {

97:    receive() external payable {}

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/SfrxEth.sol

// @return missing
44:    function name() public pure returns (string memory) {
94:    function deposit() external payable onlyOwner returns (uint256) {
122:    function balance() public view returns (uint256) {

// @param missing
51:    function setMaxSlippage(uint256 _slippage) external onlyOwner {

// @param and @return missing
111:    function ethPerDerivative(uint256 _amount) public view returns (uint256) {

126:    receive() external payable {}

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol

// @return missing
50:    function name() public pure returns (string memory) {
83:    function swapExactInputSingleHop(

// @return missing
66:    function rethAddress() private view returns (address) {
107:    function withdraw(uint256 amount) external onlyOwner {
120:    function poolCanDeposit(uint256 _amount) private view returns (bool) {
156:    function deposit() external payable onlyOwner returns (uint256) {
211:    function ethPerDerivative(uint256 _amount) public view returns (uint256) {
221:    function balance() public view returns (uint256) {
228:    function poolPrice() private view returns (uint256) {


244:    receive() external payable {}

State variable and function names [3]

  • Variables should be named according to their specifications
  • private and internal variables should preppend with underline
  • private and internal functions should preppend with underline
  • constant state variables should be UPPER_CASE

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol

// private and internal `functions` should preppend with `underline`
66:    function rethAddress() private view returns (address) {
83:    function swapExactInputSingleHop(
120:    function poolCanDeposit(uint256 _amount) private view returns (bool) {
228:    function poolPrice() private view returns (uint256) {

Version [4]

  • Pragma versions should be standardized and avoid floating pragma ( ^ ).

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEthStorage.sol

// lose the caret ^ for safer code
2:  pragma solidity ^0.8.13;

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol

// lose the caret ^ for safer code
2:  pragma solidity ^0.8.13;

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/WstEth.sol

// lose the caret ^ for safer code
2:  pragma solidity ^0.8.13;

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/SfrxEth.sol

// lose the caret ^ for safer code
2:  pragma solidity ^0.8.13;

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/WstEth.sol

// lose the caret ^ for safer code
2:  pragma solidity ^0.8.13;

Observations [5]

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol

// The @notice is incorrect as this does not add a new derivative but adjusts the weight
158:        @notice - Adds new derivative to the index fund

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEthStorage.sol

// little typo here, should be "true if unstaking is paused"
17:    bool public pauseUnstaking; // true if unstaking is pause

Initialized variables with default value [6]

  • Variables are default initialized with 0 for uint / int, 0x0 for address and false for bool

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol

// these are redundant and cost more gas
68:        uint256 underlyingValue = 0;
83:        uint256 totalStakeValueEth = 0; // total amount of derivatives worth of ETH in system
190:        uint256 localTotalWeight = 0;

#0 - c4-sponsor

2023-04-10T19:27:34Z

elmutt marked the issue as sponsor confirmed

#1 - c4-judge

2023-04-24T18:52:03Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter