Platform: Code4rena
Start Date: 13/05/2022
Pot Size: $30,000 USDC
Total HM: 8
Participants: 65
Period: 3 days
Judge: hickuphh3
Total Solo HM: 1
Id: 125
League: ETH
Rank: 43/65
Findings: 1
Award: $54.71
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xf15ers, 0xkatana, 0xliumin, AlleyCat, BouSalman, Dravee, Funen, GimelSec, Hawkeye, MaratCerby, Picodes, StErMi, TerrierLover, WatchPug, Waze, berndartmueller, bobirichman, cryptphi, csanuragjain, defsec, delfin454000, dipp, fatherOfBlocks, hake, hickuphh3, hyh, joestakey, kebabsec, mics, mtz, oyc_109, p4st13r4, p_crypt0, robee, rotcivegaf, sikorico, simon135, sorrynotsorry, tintin
54.7123 USDC - $54.71
This report do list low-risk and non-critical findings presented in the sturdy protocol codebase, these findings do not effect any assets connected to users or the protocol. However these issues are related to coding and security best practices.
ERC20 functions return a Boolean value which should be checked. the protocol sturdy do have some lines for code that make a use of these functions and do not check the return value, this may effect the logic of the code and should be checked before continue processing transactions.
Avoid using Deprecated Library Functions, for example in the sturdy codebase there is a use of Aprove() and safeAprove() functions which is discouraged. it's advised to use the safeIncreaseAllowance() function.
https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/LidoVault.sol#L102 https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/ConvexCurveLPVault.sol#L141 https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/ConvexCurveLPVault.sol#L146
There is many declared modifiers in the sturdy protocol codebase but not used in any functions. It's advised to make sure to use these modifiers if needed (specially if these modifiers are administrative), otherwise delete it from the files to have a clear and concise codebase.
There is a commented lines of code inside sturdy protocol, it's advised to remove the comment line to have a concise and clear codebase.
When dealing with big numbers developers can make a use of scientific notation format to increase code readability, However there is occurrences in sturdy codebase where double asterisk is used instead of scientific notation.
https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/ConvexCurveLPVault.sol#L125 https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/GeneralVault.sol#L123
There are some unused imports in the protocol, this would decrease code quality and effect code audit time. it's advised to remove it before deploying the protocol.
https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/CollateralAdapter.sol#L6 https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/YieldManager.sol#L9 https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/YieldManager.sol#L10
#0 - HickupHH3
2022-06-06T03:27:16Z
Low issues: Unsafe ERC20 transfer Operations, Usage of Deprecated Library Functions, Unused imports NC issues: Commented lines of code, numbers presentation, Invalid: Unused modifiers (maybe used by future vaults)