Platform: Code4rena
Start Date: 31/03/2022
Pot Size: $75,000 USDC
Total HM: 7
Participants: 42
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 5
Id: 102
League: ETH
Rank: 31/42
Findings: 1
Award: $125.78
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rayn
Also found by: 0xDjango, 0xkatana, 0xkowloon, BouSalman, CertoraInc, Dravee, Funen, Hawkeye, IllIllI, Jujic, Kenshin, Kthere, Meta0xNull, Sleepy, TerrierLover, async, aysha, berndartmueller, catchup, cccz, cmichel, csanuragjain, danb, defsec, georgypetrov, hake, hubble, kenta, kyliek, pauliax, rfa, robee, sahar, shenwilly, teryanarmen
125.7841 USDC - $125.78
This report do list low-risk and non-critical findings presented in the volt protocol codebase, these findings do not effect any assets connected to users or the protocol. However these issues are related to coding and security best practices.
There is many declared events in the protocol codebase but not used to fire any emits, In that case any off-chain monitoring routines can not log changes done to the protocol's state. It's advised to emit these events when needed or remove it from the codebase to have a clear and consistent code.
https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/volt/IVolt.sol#L23 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/volt/minter/IVoltTimedMinter.sol#L10 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/volt/minter/IVoltTimedMinter.sol#L12 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/volt/minter/IVoltTimedMinter.sol#L14 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/core/ICore.sol#L11 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/peg/INonCustodialPSM.sol#L104 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/peg/INonCustodialPSM.sol#L113 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/utils/Deviation.sol#L14 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/refs/ICoreRef.sol#L11
There is many declared modifiers in the volt protocol codebase but not used in any functions. It's advised to make sure to use these modifiers if needed (specially if these modifiers are administrative), otherwise delete it from the files to have a clear and concise codebase.
https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/utils/Timed.sol#L21 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/refs/CoreRef.sol#L29 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/refs/CoreRef.sol#L77 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/refs/CoreRef.sol#L103 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/refs/CoreRef.sol#L117 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/refs/CoreRef.sol#L133 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/refs/CoreRef.sol#L151
Avoid using floating pragmas for compiler version inside the the source code of volt protocol, lock the compiler version for the Code files and leave it floated for libraries if needed. A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up checking a different EVM compilation that is ultimately deployed on the blockchain.
For example: https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/core/Core.sol#L2
There is some require statements used inside the volt codebase however No message were provided. It's advised to provide a message or hint to the users stating what cause this error.
https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/WETH9.sol#L51 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/WETH9.sol#L76 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/WETH9.sol#L79 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L64 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L338 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L64 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L338 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L361 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L370 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L379 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L388 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L397 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L418 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L441 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L450 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L459 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L468 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L477 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L485 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L504 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L523 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L532 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L541 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/external/calendar/BokkyPooBahsDateTimeLibrary.sol#L550
When dealing with big numbers developers can make a use of scientific notation format to increase code readability, However there is occurrences in volt codebase where double asterisk is used instead of scientific notation.
https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/refs/OracleRef.sol#L111 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/refs/OracleRef.sol#L114 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/vcon/Vcon.sol#L504 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/vcon/Vcon.sol#L513
the WETH address is hardcoded inside volt protocol, However addresses can differ when deploy the protocol to different blockchains and this action is not reversible. it's advised to pass the WETH address when deploying the contract and update it when necessary.
https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/Constants.sol#L19 https://github.com/code-423n4/2022-03-volt/blob/cec24b859c69d1397ce4048b6e9b8e96410b31dd/contracts/Constants.sol#L22
The codebase of volt protocol is following the Netspec style when commenting and documenting the code, However there is instances where the Netspec comments is missing for function parameters. it's advised to include comments for all used parameters to have a matched code-docs.
#0 - ElliotFriedman
2022-04-05T22:12:46Z
These are all valid, however their severity is informational.
#1 - ElliotFriedman
2022-04-05T22:14:29Z
Floating pragma issue was uncovered in MythX report and is thus out of scope.