Back to Bnke0x0's contests

Mimo August 2022 contest - Bnke0x0's results

Bridging the chasm between the DeFi world and the world of regulated financial institutions.

General Information

Platform: Code4rena

Start Date: 02/08/2022

Pot Size: $50,000 USDC

Total HM: 12

Participants: 69

Period: 5 days

Judge: gzeon

Total Solo HM: 5

Id: 150

League: ETH

Mimo DeFi

Findings Distribution

Researcher Performance

Rank: 4/69

Findings: 3

Award: $3,550.66

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMimo DeFi

Findings Information

🌟 Selected for report: bin2chen

Also found by: Bnke0x0

Labels

bug
duplicate
3 (High Risk)

Awards

3421.7489 USDC - $3,421.75

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMORebalance.sol#L129#L132 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOLeverage.sol#L130 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOEmptyVault.sol#L96

Vulnerability details

Vulnerability details

Impact

User's may accidentally overpay in register() / renew() and the excess will be paid to the vault creator

Proof of Concept

  1. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 129-132):

require( a.vaultsData().vaultCollateralBalance(rbData.vaultId) >= flashloanRepayAmount, Errors.CANNOT_REPAY_FLASHLOAN );

  1. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 130):

require(collateralBalanceAfter >= flashloanRepayAmount, Errors.CANNOT_REPAY_FLASHLOAN);

  1. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 96):

require(flashloanRepayAmount <= vaultCollateral.balanceOf(address(this)), Errors.CANNOT_REPAY_FLASHLOAN);

Consider changing >= to ==

  1. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 129-132):

require( a.vaultsData().vaultCollateralBalance(rbData.vaultId) == flashloanRepayAmount, Errors.CANNOT_REPAY_FLASHLOAN );

  1. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 130):

require(collateralBalanceAfter == flashloanRepayAmount, Errors.CANNOT_REPAY_FLASHLOAN);

  1. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 96):

require(flashloanRepayAmount == vaultCollateral.balanceOf(address(this)), Errors.CANNOT_REPAY_FLASHLOAN);

#0 - RayXpub

2022-08-10T12:12:46Z

Valid only for MIMOEmptyVault as Rebalance will leave excess in vault, Leverage will deposit it it back. Also duplicate of #18

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xc0ffEE, 8olidity, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, Funen, JC, JohnSmith, NoamYakov, ReyAdmirado, Rohan16, Rolezn, Sm4rty, SooYa, TomFrenchBlockchain, TomJ, Waze, __141345__, ajtra, ak1, aysha, bin2chen, bobirichman, brgltd, bulej93, c3phas, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, horsefacts, hyh, ladboy233, mics, natzuu, nxrblsrpr, oyc_109, rbserver, samruna, sikorico, simon135, tofunmi, wagmi

Awards

88.166 USDC - $88.17

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

[L-01] initialize functions can be front-run:-

  1. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 29):

    function initialize() external initializer {

  2. File: 2022-08-mimo/contracts/proxy/MIMOProxyFactory.sol (line 47):

    proxy.initialize();

  3. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxy.sol (line 17):

    function initialize() external;

[L-02] Use of floating pragma (Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.):-

  1. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxy.sol (line 2):

    pragma solidity ^0.8.4;

  2. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxyFactory.sol (line 2):

    pragma solidity ^0.8.4;

  3. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxyRegistry.sol (line 2):

    pragma solidity ^0.8.4;

[L-03] Unused/empty receive()/fallback() function:-

  1. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 38):

    receive() external payable {}

[N-01] Adding a return statement when the function defines a named return variable, is redundant:-

  1. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 153):

    return _getAmounts(_automatedVaults[vaultId], vaultState, toCollateral);

  2. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedAction.sol (line 108):

    return (vaultRatio);

  3. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 146):

    return results;

[N-02] require()/revert() statements should have descriptive reason strings:-

  1. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 47):

    require(proxy != address(0), Errors.INVALID_AGGREGATOR);

  2. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 48):

    require(router != address(0), Errors.INVALID_AGGREGATOR);

  3. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 59):

    revert(add(32, response), returndata_size)

  4. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 62):

    revert(Errors.AGGREGATOR_CALL_FAILED);

  5. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 129-132):

    require( a.vaultsData().vaultCollateralBalance(rbData.vaultId) >= flashloanRepayAmount, Errors.CANNOT_REPAY_FLASHLOAN );

  6. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 130):

    require(collateralBalanceAfter >= flashloanRepayAmount, Errors.CANNOT_REPAY_FLASHLOAN);

  7. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 96):

    require(flashloanRepayAmount <= vaultCollateral.balanceOf(address(this)), Errors.CANNOT_REPAY_FLASHLOAN);

  8. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 95):

    revert(add(32, response), returndata_size)

  9. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 138):

    revert(add(32, response), returndata_size)

[N-03] constants should be defined rather than using magic numbers:-

  1. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 180):

    uint256 targetRatio = autoVault.targetRatio + 1e15; // add 0.1% to account for rounding

  2. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 30):

    minGasReserve = 5_000;

[N-04] Event is missing indexed fields:-

  1. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedAction.sol (line 22):

    event ManagerSet(address manager, bool isManager);

  2. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedAction.sol (line 23):

    event ManagementSet(uint256 vaultId, ManagedVault managedVault);

  3. File: 2022-08-mimo/contracts/actions/automated/interfaces/IMIMOAutoAction.sol (line 25):

    event AutomationSet(uint256 vaultId, AutomatedVault autoVault);

  4. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxy.sol (line 11):

    event Execute(address indexed target, bytes data, bytes response);

  5. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxyFactory.sol (line 11):

    event DeployProxy(address indexed deployer, address indexed owner, address proxy);

[N-05] Use of sensitive/non-inclusive terms:-

  1. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedAction.sol (line 13):

    bool isManaged;

  2. File: 2022-08-mimo/contracts/actions/automated/interfaces/IMIMOAutoAction.sol (line 9):

    bool isAutomated;

  3. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 78):

    bool success;

  4. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 108):

    bool permission

  5. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxy.sol (line 67):

    bool permission

[N-06] public functions not called by the contract should be declared external instead:-

  1. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 54):

    function execute(address target, bytes calldata data) public payable override returns (bytes memory response) {

  2. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 104-109):

    function setPermission( address envoy, address target, bytes4 selector, bool permission ) public override {

  3. File: 2022-08-mimo/contracts/proxy/MIMOProxyFactory.sol (line 45):

    function deployFor(address owner) public override returns (IMIMOProxy proxy) {

  4. File: 2022-08-mimo/contracts/proxy/MIMOProxyRegistry.sol (line 45):

    function deployFor(address owner) public override returns (IMIMOProxy proxy) {

[N-07] Non-library/interface files should use fixed compiler versions, not floating ones:-

  1. File: 2022-08-mimo/contracts/actions/MIMOVaultActions.sol (line 3):

    pragma solidity 0.8.10;

  2. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 2):

    pragma solidity 0.8.10;

  3. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 2):

    pragma solidity 0.8.10;

  4. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 2):

    pragma solidity 0.8.10;

  5. File: 2022-08-mimo/contracts/actions/MIMOFlashloan.sol (line 2):

    pragma solidity 0.8.10;

  6. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 2):

    pragma solidity 0.8.10;

  7. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoAction.sol (line 2):

    pragma solidity 0.8.10;

  8. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 2):

    pragma solidity 0.8.10;

  9. File: 2022-08-mimo/contracts/actions/automated/interfaces/IMIMOAutoAction.sol (line 2):

    pragma solidity 0.8.10;

  10. File: 2022-08-mimo/contracts/actions/automated/interfaces/IMIMOAutoRebalance.sol (line 2):

    pragma solidity 0.8.10;

  11. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOEmptyVault.sol (line 2):

    pragma solidity 0.8.10;

  12. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOFlashloan.sol (line 2):

    pragma solidity 0.8.10;

  13. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOLeverage.sol (line 2):

    pragma solidity 0.8.10;

  14. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOProxyAction.sol (line 2):

    pragma solidity 0.8.10;

  15. File: 2022-08-mimo/contracts/actions/interfaces/IMIMORebalance.sol (line 2):

    pragma solidity 0.8.10;

  16. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOSwap.sol (line 2):

    pragma solidity 0.8.10;

  17. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOVaultActions.sol (line 2):

    pragma solidity 0.8.10;

  18. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedAction.sol (line 2):

    pragma solidity 0.8.10;

  19. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedRebalance.sol (line 2):

    pragma solidity 0.8.10;

  20. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedAction.sol (line 2):

    pragma solidity 0.8.10;

  21. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedRebalance.sol (line 2):

    pragma solidity 0.8.10;

  22. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 2):

    pragma solidity 0.8.4;

  23. File: 2022-08-mimo/contracts/proxy/MIMOProxyFactory.sol (line 2):

    pragma solidity >=0.8.4;

  24. File: 2022-08-mimo/contracts/proxy/MIMOProxyRegistry.sol(line 2):

    pragma solidity >=0.8.4;

  25. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxy.sol (line 2):

    pragma solidity >=0.8.4;

  26. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxyFactory.sol (line 2):

    pragma solidity ^0.8.4;

  27. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxyRegistry.sol (line 2):

    pragma solidity ^0.8.4;

[N-08] Unneeded import:-

  1. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 11):

    import "../../libraries/WadRayMath.sol";

  2. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedAction.sol(line 7):

    import "../../libraries/WadRayMath.sol";

  3. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedRebalance.sol (line 10):

    import "../../libraries/WadRayMath.sol";

[N-09] Use a more recent version of solidity (Use a solidity version of at least 0.8.13 to get the ability to use using for with a list of free functions):-

  1. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 2):

    pragma solidity 0.8.10;

  2. File: 2022-08-mimo/contracts/actions/MIMOFlashloan.sol (line 2):

    pragma solidity 0.8.10;

  3. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 2):

    pragma solidity 0.8.10;

  4. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 2):

    pragma solidity 0.8.10;

  5. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 2):

    pragma solidity 0.8.10;

  6. File: 2022-08-mimo/contracts/actions/MIMOVaultActions.sol (line 3):

    pragma solidity 0.8.10;

  7. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 2):

    pragma solidity 0.8.10;

  8. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 2):

    pragma solidity 0.8.10;

  9. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedAction.sol (line 2):

    pragma solidity 0.8.10;

  10. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedRebalance.sol (line 2):

    pragma solidity 0.8.10;

  11. File: 2022-08-mimo/contracts/proxy/MIMOProxyFactory.sol (line 2):

    pragma solidity >=0.8.4;

[N-10] Interfaces should be moved to separate files:-

  1. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedAction.sol (line 11):

    interface IMIMOManagedAction {

  2. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOFlashloan.sol (line 10):

    interface IMIMOFlashloan {

  3. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOProxyAction.sol (line 4):

    interface IMIMOProxyAction {

  4. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOSwap.sol (line 6):

    interface IMIMOSwap {

  5. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOVaultActions.sol (line 8):

    interface IMIMOVaultActions {

  6. File: 2022-08-mimo/contracts/actions/automated/interfaces/IMIMOAutoAction.sol (line 7):

    interface IMIMOAutoAction {

  7. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxy.sol (line 6):

    interface IMIMOProxy {

  8. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxyFactory.sol (line 8):

    interface IMIMOProxyFactory {

  9. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedAction.sol (line 10):

    interface IMIMOProxyRegistry {

[N-11] Constant redefined elsewhere:-

  1. File: 2022-08-mimo/contracts/actions/MIMOVaultActions.sol (line 19-21):

    IVaultsCore public immutable core; IVaultsDataProvider public immutable vaultsData; IERC20 public immutable stablex;

  2. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 19-20):

    IAddressProvider public immutable a; IDexAddressProvider public immutable dexAP;

  3. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 17):

    IMIMOProxyRegistry public immutable proxyRegistry;

  4. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 17):

    IMIMOProxyRegistry public immutable proxyRegistry;

  5. File: 2022-08-mimo/contracts/actions/MIMOFlashloan.sol (line 18):

    IPool public immutable lendingPool;

  6. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 17):

    IMIMOProxyRegistry public immutable proxyRegistry;

  7. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedRebalance.sol (line 20):

    address public immutable mimoRebalance;

  8. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedAction.sol (line 12-13):

    IAddressProvider public immutable a; IMIMOProxyRegistry public immutable proxyRegistry;

  9. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoAction.sol (line 12-13):

    IAddressProvider public immutable a; IMIMOProxyRegistry public immutable proxyRegistry;

  10. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 27):

    address public immutable mimoRebalance;

  11. File: 2022-08-mimo/contracts/proxy/MIMOProxyFactory.sol (line 16):

    address public immutable mimoProxyBase;

Findings Information

🌟 Selected for report: Dravee

Also found by: 0x040, 0x1f8b, 0xDjango, 0xNazgul, 0xSmartContract, 0xc0ffEE, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, Fitraldys, Funen, IllIllI, JC, JohnSmith, NoamYakov, ReyAdmirado, Rolezn, TomJ, Waze, ajtra, bearonbike, bobirichman, brgltd, c3phas, durianSausage, fatherOfBlocks, gogo, ignacio, jag, joestakey, ladboy233, mics, oyc_109, rbserver, samruna, sikorico, simon135

Awards

40.7442 USDC - $40.74

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

[G-01] <array>.length should not be looked up in every loop of a for-loop:-

  1. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 132):

    for (uint256 i = 0; i < targets.length; i++) {

[G-02] ++i costs less gas than i++, especially when it’s used in for-loops (--i/i-- too):-

  1. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 132):

    for (uint256 i = 0; i < targets.length; i++) {

[G-03] Not using the named return variables when a function returns, wastes deployment gas:-

  1. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 153):

    return _getAmounts(_automatedVaults[vaultId], vaultState, toCollateral);

  2. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedAction.sol (line 108):

    return (vaultRatio);

  3. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 146):

    return results;

[G-04] It costs more gas to initialize variables to zero than to let the default of zero be applied:-

  1. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 132):

    for (uint256 i = 0; i < targets.length; i++) {

[G-05] require() or revert() statements that check input arguments should be at the top of the function:-

  1. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 47):

    require(proxy != address(0), Errors.INVALID_AGGREGATOR);

  2. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 48):

    require(router != address(0), Errors.INVALID_AGGREGATOR);

  3. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 59):

    revert(add(32, response), returndata_size)

  4. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 62):

    revert(Errors.AGGREGATOR_CALL_FAILED);

  5. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 129-132):

    require( a.vaultsData().vaultCollateralBalance(rbData.vaultId) >= flashloanRepayAmount, Errors.CANNOT_REPAY_FLASHLOAN );

  6. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 130):

    require(collateralBalanceAfter >= flashloanRepayAmount, Errors.CANNOT_REPAY_FLASHLOAN);

  7. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 96):

    require(flashloanRepayAmount <= vaultCollateral.balanceOf(address(this)), Errors.CANNOT_REPAY_FLASHLOAN);

  8. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 95):

    revert(add(32, response), returndata_size)

  9. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 138):

    revert(add(32, response), returndata_size)

[G-06] Use custom errors rather than revert()/require() strings to save deployment gas:-

  1. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 47):

    require(proxy != address(0), Errors.INVALID_AGGREGATOR);

  2. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 48):

    require(router != address(0), Errors.INVALID_AGGREGATOR);

  3. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 59):

    revert(add(32, response), returndata_size)

  4. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 62):

    revert(Errors.AGGREGATOR_CALL_FAILED);

  5. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 129-132):

    require( a.vaultsData().vaultCollateralBalance(rbData.vaultId) >= flashloanRepayAmount, Errors.CANNOT_REPAY_FLASHLOAN );

  6. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 130):

    require(collateralBalanceAfter >= flashloanRepayAmount, Errors.CANNOT_REPAY_FLASHLOAN);

  7. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 96):

    require(flashloanRepayAmount <= vaultCollateral.balanceOf(address(this)), Errors.CANNOT_REPAY_FLASHLOAN);

  8. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 95):

    revert(add(32, response), returndata_size)

  9. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 138):

    revert(add(32, response), returndata_size)

[G-07] Use a more recent version of solidity:-

1. File: 2022-08-mimo/contracts/actions/MIMOVaultActions.sol (line 3):

    `pragma solidity 0.8.10;`

2. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 2):

    `pragma solidity 0.8.10;`         

3. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 2):

    `pragma solidity 0.8.10;`

4. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 2):

    `pragma solidity 0.8.10;`

5. File: 2022-08-mimo/contracts/actions/MIMOFlashloan.sol (line 2):

    `pragma solidity 0.8.10;`         

6. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 2):

    `pragma solidity 0.8.10;`

7. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoAction.sol (line 2):

    `pragma solidity 0.8.10;`

8. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 2):

    `pragma solidity 0.8.10;`         

9. File: 2022-08-mimo/contracts/actions/automated/interfaces/IMIMOAutoAction.sol (line 2):

    `pragma solidity 0.8.10;`

10. File: 2022-08-mimo/contracts/actions/automated/interfaces/IMIMOAutoRebalance.sol (line 2):

    `pragma solidity 0.8.10;`

11. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOEmptyVault.sol (line 2):

    `pragma solidity 0.8.10;`         

12. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOFlashloan.sol (line 2):

    `pragma solidity 0.8.10;`

13. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOLeverage.sol (line 2):

    `pragma solidity 0.8.10;`

14. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOProxyAction.sol (line 2):

    `pragma solidity 0.8.10;`

15. File: 2022-08-mimo/contracts/actions/interfaces/IMIMORebalance.sol (line 2):

    `pragma solidity 0.8.10;`

16. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOSwap.sol (line 2):

    `pragma solidity 0.8.10;`         

17. File: 2022-08-mimo/contracts/actions/interfaces/IMIMOVaultActions.sol (line 2):

    `pragma solidity 0.8.10;`

18. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedAction.sol (line 2):

    `pragma solidity 0.8.10;`

19. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedRebalance.sol (line 2):

    `pragma solidity 0.8.10;`         

20. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedAction.sol (line 2):

    `pragma solidity 0.8.10;`

21. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedRebalance.sol (line 2):

    `pragma solidity 0.8.10;`

22. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 2):

    `pragma solidity 0.8.4;`         

23. File: 2022-08-mimo/contracts/proxy/MIMOProxyFactory.sol (line 2):

    `pragma solidity >=0.8.4;`

24. File: 2022-08-mimo/contracts/proxy/MIMOProxyRegistry.sol(line 2):

    `pragma solidity >=0.8.4;`

25. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxy.sol (line 2):

    `pragma solidity >=0.8.4;`         

26. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxyFactory.sol (line 2):

    `pragma solidity ^0.8.4;`

27. File: 2022-08-mimo/contracts/proxy/interfaces/IMIMOProxyRegistry.sol (line 2):

    `pragma solidity ^0.8.4;`

[G-08] >= costs less gas than >:-

1. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 135):

    `if (fee > 0) {`

[G-09] Using private rather than public for constants, saves gas:-

1. File: 2022-08-mimo/contracts/proxy/MIMOProxyFactory.sol (line 19):

    `uint256 public constant override VERSION = 1;`

[G-10] Empty blocks should be removed or emit something:-

1. File: 2022-08-mimo/contracts/actions/MIMOFlashloan.sol (line 44):

    `) external virtual override returns (bool) {}`

2. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 38):

    ` receive() external payable {}`

[G-11] internal functions only called once can be inlined to save gas:-

1. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoAction.sol (line 74):

    `function _getVaultStats(uint256 vaultId) internal view returns (uint256 vaultRatio, VaultState memory vaultState) {`

2. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedAction.sol (line 92):

    `function _getVaultRatio(uint256 vaultId) internal view returns (uint256) {`

[G-12] Using bools for storage incurs overhead:-

1. File: 2022-08-mimo/contracts/actions/automated/interfaces/IMIMOAutoAction.sol (line 9):

    `bool isAutomated;`

2. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedAction.sol (line 17):

    `mapping(address => bool) internal _managers;`         

3. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedAction.sol (line 13):

    `bool isManaged;`

4. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedAction.sol (line 22):

    `event ManagerSet(address manager, bool isManager);`

5. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 24):

    `mapping(address => mapping(address => mapping(bytes4 => bool))) internal _permissions;`         

6. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 78):

    `bool success;`

7. File: 2022-08-mimo/contracts/proxy/MIMOProxyFactory.sol (line 24):

    `mapping(address => bool) internal _proxies;`

[G-13] abi.encode() is less efficient than abi.encodePacked():-

1. File: 2022-08-mimo/contracts/actions/MIMORebalance.soll (line 49):

    `bytes memory params = abi.encode(msg.sender, rbData, swapData);`

2. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 54):

    `bytes memory params = abi.encode(msg.sender, swapAmount, swapData);`         

3. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 49):

    `bytes memory params = abi.encode(msg.sender, vaultId, swapData);`

4. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedAction.sol (line 22):

    `event ManagerSet(address manager, bool isManager);`

5. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 24):

    `mapping(address => mapping(address => mapping(bytes4 => bool))) internal _permissions;`         

6. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 73):

    ` _takeFlashLoan(flData, abi.encode(vaultOwner, autoFee, rbData, swapData));`

7. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedRebalance.sol (line 65):

    `_takeFlashLoan(flData, abi.encode(vaultsData.vaultOwner(rbData.vaultId), managerFee, rbData, swapData));`

[G-14] Using calldata instead of memory for read-only arguments in external functions saves gas:-

1. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 64-66):

    `    address[] calldata assets,
uint256[] calldata amounts,
uint256[] calldata premiums,`

2. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 69-71):

    `    address[] calldata assets,
uint256[] calldata amounts,
uint256[] calldata premiums,`         

3. File: 2022-08-mimo/contracts/actions/MIMOFlashloan.sol (line 39-41):

    `    address[] calldata assets,
uint256[] calldata amounts,
uint256[] calldata premiums,`

4. File: 2022-08-mimo/contracts/actions/MIMOFlashloan.sol (line 52-54):

    `    address[] memory assets = new address[](1);
uint256[] memory amounts = new uint256[](1);
uint256[] memory modes = new uint256[](1);event ManagerSet(address manager, bool isManager);`

5. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 91-93):

    `    address[] calldata assets,
uint256[] calldata amounts,
uint256[] calldata premiums,`         

6. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 64-66):

    `    address[] calldata assets,
uint256[] calldata amounts,
uint256[] calldata premiums,`

7. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedRebalance.sol (line 18-20):

    `    address[] calldata assets,
uint256[] calldata amounts,
uint256[] calldata premiums,`

8. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedRebalance.sol (line 91-94):

    `    address[] calldata assets,
uint256[] calldata amounts,
uint256[] calldata premiums,`

[G-15] abi.encode() is less efficient than abi.encodePacked():-

1. File: 2022-08-mimo/contracts/actions/MIMORebalance.soll (line 49):

    `bytes memory params = abi.encode(msg.sender, rbData, swapData);`

2. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 54):

    `bytes memory params = abi.encode(msg.sender, swapAmount, swapData);`         

3. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 49):

    `bytes memory params = abi.encode(msg.sender, vaultId, swapData);`

4. File: 2022-08-mimo/contracts/actions/managed/interfaces/IMIMOManagedAction.sol (line 22):

    `event ManagerSet(address manager, bool isManager);`

5. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 24):

    `mapping(address => mapping(address => mapping(bytes4 => bool))) internal _permissions;`         

6. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 73):

    ` _takeFlashLoan(flData, abi.encode(vaultOwner, autoFee, rbData, swapData));`

7. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedRebalance.sol (line 65):

    `_takeFlashLoan(flData, abi.encode(vaultsData.vaultOwner(rbData.vaultId), managerFee, rbData, swapData));`

[G-16] Amounts should be checked for 0 before calling a transfer:-

1. File: 2022-08-mimo/contracts/actions/MIMOEmptyVault.sol (line 128):

    `vaultCollateral.safeTransfer(msg.sender, withdrawAmount);`

2. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 51):

    `IERC20(flData.asset).safeTransferFrom(msg.sender, address(this), depositAmount);`         

3. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 137):

    ` token.safeTransfer(msg.sender, flashloanRepayAmount);`

4. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 134):

    `fromCollateral.safeTransfer(msg.sender, flashloanRepayAmount);`

5. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 136):

    `IERC20(a.stablex()).safeTransfer(msg.sender, fee);`         

6. File: 2022-08-mimo/contracts/actions/MIMOVaultActions.sol (line 48):

    `collateral.safeTransferFrom(msg.sender, address(this), amount);`

7. File: 2022-08-mimo/contracts/actions/MIMOVaultActions.sol (line 71):

    `collateral.safeTransferFrom(msg.sender, address(this), depositAmount);`        

8. File: 2022-08-mimo/contracts/actions/managed/MIMOManagedRebalance.sol (line 79):

    `IERC20(a.stablex()).safeTransfer(managedVault.manager, managerFee);`

9. File: 2022-08-mimo/contracts/actions/automated/MIMOAutoRebalance.sol (line 78):

    `IERC20(a.stablex()).safeTransfer(msg.sender, autoFee);`

[G-17] Use != 0 instead of > 0:-

1. File: 2022-08-mimo/contracts/actions/MIMOLeverage.sol (line 50):

    ` if (depositAmount > 0) {`

2. File: 2022-08-mimo/contracts/actions/MIMORebalance.sol (line 135):

    `if (fee > 0) {`         

3. File: 2022-08-mimo/contracts/actions/MIMOSwap.sol (line 56):

    `if (response.length > 0) {`

4. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 92):

    `if (response.length > 0) {`

5. File: 2022-08-mimo/contracts/proxy/MIMOProxy.sol (line 135):

    `if (response.length > 0) {`
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter