Platform: Code4rena
Start Date: 18/10/2023
Pot Size: $36,500 USDC
Total HM: 17
Participants: 77
Period: 7 days
Judge: MiloTruck
Total Solo HM: 5
Id: 297
League: ETH
Rank: 21/77
Findings: 3
Award: $266.87
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: falconhoof
Also found by: 0x6d6164616e, Baki, Beosin, Krace, T1MOH, bitsurfer, immeas, pep7siup, tnquanghuy0512, twicek
90.3185 USDC - $90.32
The protocol has a feature to auction the surplus amount and send some % out of that to extraSurplusReceiver but currently this % always less than 1% which limits the amount extraSurplusReceiver can get out of the surplus
we believe this check is incorrect if(_params.surplusTransferPercentage > WAD) revert AccEng_surplusTransferPercentOverLimit(); since this basically means that surplusTransferPercentage cannot be more than 1% thereby adding an unnecessary restriction in the protocol
manual review
change this check if(_params.surplusTransferPercentage > WAD) revert AccEng_surplusTransferPercentOverLimit(); to if(_params.surplusTransferPercentage > ONE_HUNDRED_WAD) revert AccEng_surplusTransferPercentOverLimit();
Invalid Validation
#0 - c4-pre-sort
2023-10-26T17:05:25Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-10-26T17:05:40Z
raymondfam marked the issue as duplicate of #26
#2 - c4-judge
2023-11-03T14:00:46Z
MiloTruck marked the issue as partial-50
#3 - c4-judge
2023-11-03T14:00:53Z
MiloTruck marked the issue as satisfactory
#4 - MiloTruck
2023-11-03T14:01:26Z
Partial credit as this report didn't point out how using ONE_HUNDRED_WAD in percentage calculations results in _amountToSell becoming massively inflated.
#5 - c4-judge
2023-11-03T14:07:02Z
MiloTruck changed the severity to 3 (High Risk)
#6 - c4-judge
2023-11-03T16:47:44Z
MiloTruck marked the issue as partial-50
🌟 Selected for report: tnquanghuy0512
Also found by: 0xprinc, Baki, COSMIC-BEE-REACH, MrPotatoMagic, Tendency
168.2507 USDC - $168.25
https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/proxies/ODSafeManager.sol#L112 https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/proxies/SAFEHandler.sol#L11
The ODSafeManager has a mapping handlerCan where according to the docs the key is the SAFEHandler contract address but first of all, there is no access control check that msg.sender in allowHandler is an existing SAFEHandler contract and secondly SAFEHandler has no method to call allowHandler method in safe manager which means anyone can update the mapping and handlerCan is used in a modifier handlerAllowed which is used for access control in various methods involving safe related operations like quitSystem & enterSystem and hence this breaks the access control check in these functions
there is no method to call allowHandler in SAFEHandler and secondly alice can call allowHandler and pass any arbitary address there even her own address as the _usr argument and break the handler access control
manaual review
add a method allowHandler in SAFEHandler that can only be called by the owner of the safe and also add access control check in allowHandler that msg.sender is a valid safe by passing an extra safeOwner address in the method to verify that
Access Control
#0 - c4-pre-sort
2023-10-26T17:22:48Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-10-26T17:22:59Z
raymondfam marked the issue as duplicate of #76
#2 - c4-pre-sort
2023-10-26T19:04:56Z
raymondfam marked the issue as duplicate of #380
#3 - c4-judge
2023-11-02T18:24:45Z
MiloTruck marked the issue as not a duplicate
#4 - c4-judge
2023-11-02T18:24:57Z
MiloTruck marked the issue as duplicate of #297
#5 - c4-judge
2023-11-02T18:53:37Z
MiloTruck marked the issue as satisfactory
🌟 Selected for report: MrPotatoMagic
Also found by: 0xMosh, 0xPsuedoPandit, 0xhacksmithh, 8olidity, Al-Qa-qa, Baki, Bughunter101, Krace, Stormreckson, T1MOH, Tendency, eeshenggoh, fibonacci, hals, immeas, kutugu, lsaudit, m4k2, mrudenko, okolicodes, phoenixV110, spark, twicek, xAriextz
8.3007 USDC - $8.30
https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/proxies/Vault721.sol#L56 https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/proxies/Vault721.sol#L63
There is no access control while initialising safe manager & nftRenderer so mev bots can monitor the deployment of Vault721 contract and initialise both safe manager & nftRenderer with malicious addresses and brick the protocol until the governer can update the addresses
The mev bot can have the following contracts set as safe manager and NFT renderer
contract MaliciousManager {} contract MaliciosNFTRenderer {}
now this would mean that no one would be able to mint a safe since there is no transferSAFEOwnership method until the governer updates the addresses
manual review
add access control in the initialize methods and hence add onlyGovernor modifier there too so avoid any sort of hindrance to the protocol
Access Control
#0 - c4-pre-sort
2023-10-26T17:50:20Z
raymondfam marked the issue as low quality report
#1 - c4-pre-sort
2023-10-26T17:50:28Z
raymondfam marked the issue as duplicate of #16
#2 - c4-judge
2023-11-01T20:00:25Z
MiloTruck changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-11-03T17:53:31Z
MiloTruck marked the issue as grade-b