Back to Breeje's contests

Ethos Reserve contest - Breeje's results

A CDP-backed stablecoin platform designed to generate yield on underlying assets to establish a sustainable DeFi stable interest rate.

General Information

Platform: Code4rena

Start Date: 16/02/2023

Pot Size: $144,750 USDC

Total HM: 17

Participants: 154

Period: 19 days

Judge: Trust

Total Solo HM: 5

Id: 216

League: ETH

Ethos Reserve

Findings Distribution

Researcher Performance

Rank: 80/154

Findings: 1

Award: $61.26

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEthos Reserve

Findings Information

🌟 Selected for report: GalloDaSballo

Also found by: 0x3b, 0xAgro, 0xSmartContract, 0xTheC0der, 0xackermann, 0xnev, 0xsomeone, ABA, BRONZEDISC, Bjorn_bug, Bnke0x0, Breeje, Co0nan, CodeFoxInc, CodingNameKiki, DadeKuma, DeFiHackLabs, IceBear, Josiah, Kaysoft, Lavishq, MohammedRizwan, PaludoX0, PawelK, Phantasmagoria, Raiders, RaymondFam, Rickard, Rolezn, Sathish9098, SleepingBugs, SuperRayss, UdarTeam, Udsen, Viktor_Cortess, arialblack14, ast3ros, bin2chen, brgltd, btk, catellatech, ch0bu, chaduke, chrisdior4, codeislight, cryptonue, delfin454000, descharre, dontonka, emmac002, fs0c, hacker-dom, hansfriese, imare, lukris02, luxartvinsec, martin, matrix_0wl, peanuts, rbserver, shark, tnevler, trustindistrust, tsvetanovv, vagrant, yongskiws, zzzitron

Awards

61.2601 USDC - $61.26

Labels

bug
grade-b
QA (Quality Assurance)
sponsor confirmed
Q-62

External Links

Link to GitHub issue

QA Report

Low Risk Issues

CountExplanationInstances
[L-01]pragma experimental ABIEncoderV2 Used is deprecated1
[L-02]Upgradeable contract is missing a __gap[50] storage variable to allow for new storage variables in later versions1
[L-03]Use of ecrecover can lead to signature mallebility vulnerability1
Total Low Risk Issues3

Non-Critical Issues

CountExplanationInstances
[N-01]Function state mutability can be restricted to pure2
[N-02]Variable name should be in CamelCase1
[N-03]No Error Message provided for require3
[N-04]Spelling Errors in Natspec1
[N-05]Recommended to use 2 step while Updating Critical addresses2
Total Non-Critical Issues5

[L-01] pragma experimental ABIEncoderV2 Used is deprecated

Description

pragma experimental ABIEncoderV2 Used is deprecated. Should use pragma abicoder v2 instead which supports more types than v1 and performs more sanity checks on the inputs.

ABI coder v2 is activated by default in Solidity Version ^0.8.0. So it is already Enabled without explictly enabling it.

Reference

Recommendation Mitigation Step

Remove pragma experimental ABIEncoderV2 from the following code instance.

Instance (1):

File: DistributionTypes.sol

2:    pragma experimental ABIEncoderV2;

Link to code

[L-02] Upgradeable contract is missing a __gap[50] storage variable to allow for new storage variables in later versions

See this link for a description of this storage variable. While some contracts may not currently be sub-classed, adding the variable now protects against forgetting to add it in the future.

Instance (1):

File: ReaperBaseStrategyv4.sol

14:   abstract contract ReaperBaseStrategyv4 is

Link to code

[L-03] Use of ecrecover can lead to signature mallebility vulnerability

It is also recommended to use OpenZeppelin’s ECDSA library instead of ecrecover: ECDSA.sol

Can check Latest permit method of Openzeppelin here.

Instance (1):

File: LUSDToken.sol

    address recoveredAddress = ecrecover(digest, v, r, s);
    require(recoveredAddress == owner, 'LUSD: invalid signature');

Link to Code

[N-01] Function state mutability can be restricted to pure

Recommend to Change the state mutability of the following function to pure instead of view.

Instances (2):

File: ReaperVaultV2.sol

659:    function _cascadingAccessRoles() internal view override returns (bytes32[] memory) {

Link to Code

File: ReaperBaseStrategyv4.sol

203:    function _cascadingAccessRoles() internal view override returns (bytes32[] memory) {

Link to Code

[N-02] Variable name should be in CamelCase

Instance (1):

File: ReaperVaultV2.sol

473:    struct LocalVariables_report {

Link to Code

[N-03] No Error Message provided for require

Provide an error message for require.

Instances (3):

File: ReaperStrategyGranarySupplyOnly.sol

167:    require(step[0] != address(0));
168:    require(step[1] != address(0));

Link to Code

File: VeloSolidMixin.sol

99:     require(
100:        _tokenIn != _tokenOut && _path.length >= 2 && _path[0] == _tokenIn && _path[_path.length - 1] == _tokenOut
101:    );

Link to Code

[N-04] Spelling Errors in Natspec

Instance (1):

Correct the Spelling of Ammount to Amount and Stricly to Strictly.

File: ReaperBaseStrategyv4.sol

98:     require(_amount <= balanceOf(), "Ammount must be less than balance");

203:    * {KEEPER} - Stricly permissioned trustless access for off-chain programs or third party keepers.

Link to Code

[N-05] Recommended to use 2 step while Updating Critical addresses

It is recommended to Use 2 Step ownership transfer for critical functions to avoid any foul circumstances. Here if governance address is set to a wrong address, LUSDToken can never be unpause from pause state.

Instance (2):

File: LUSDToken.sol

146:    function updateGovernance(address _newGovernanceAddress) external {

153:    function updateGuardian(address _newGuardianAddress) external {

Link to Code

#0 - c4-judge

2023-03-09T15:07:32Z

trust1995 marked the issue as grade-b

#1 - c4-sponsor

2023-03-28T20:10:58Z

0xBebis marked the issue as sponsor confirmed

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter