Back to Bughunter101's contests

Centrifuge - Bughunter101's results

The institutional ecosystem for on-chain credit.

General Information

Platform: Code4rena

Start Date: 08/09/2023

Pot Size: $70,000 USDC

Total HM: 8

Participants: 84

Period: 6 days

Judge: gzeon

Total Solo HM: 2

Id: 285

League: ETH

Centrifuge

Findings Distribution

Researcher Performance

Rank: 72/84

Findings: 1

Award: $12.79

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCentrifuge

Findings Information

🌟 Selected for report: castle_chain

Also found by: 0xAadi, 0xHelium, 0xLook, 0xblackskull, 0xfuje, 0xmystery, 0xnev, 0xpiken, 7ashraf, BARW, Bauchibred, Bughunter101, Ch_301, JP_Courses, Kaysoft, Krace, MohammedRizwan, SanketKogekar, Sathish9098, alexzoid, ast3ros, btk, catellatech, degensec, fatherOfBlocks, grearlake, imtybik, jkoppel, jolah1, klau5, lsaudit, m_Rassska, merlin, mrudenko, nobody2018, rokinot, rvierdiiev, sandy

Awards

12.7917 USDC - $12.79

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-15

External Links

Link to GitHub issue

[info] liquidityPool maybe can burn itself, does not need to approve itself

liquidityPool maybe can burn itself, does not need to approve itself, I suggest we can delete this code https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/PoolManager.sol#L329

[low] UserEscrow.transferOut() if using the approve, it must approve all, this is unreasonable

https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/UserEscrow.sol#L36

UserEscrow.transferOut() if using the approve, it must approve all, this is unreasonable. Maybe the user just want to approve a part of fund.I suggest change it to :

require(
            /// @dev transferOut can only be initiated by the destination address or an authorized admin.
            ///      The check is just an additional protection to secure destination funds in case of compromized auth.
            ///      Since userEscrow is not able to decrease the allowance for the receiver,
            ///      a transfer is only possible in case receiver has received the full allowance from destination address.
            receiver == destination || (ERC20Like(token).allowance(destination, receiver) >= amount),
            "UserEscrow/receiver-has-no-allowance"
        );

[info] No one calls the removeLiquidityPool() function

https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/token/Tranche.sol#L53

I am not sure the intention of coder. But if the function is useless ,I suggest we delete it or write a remark

#0 - c4-pre-sort

2023-09-17T01:37:00Z

raymondfam marked the issue as sufficient quality report

#1 - c4-judge

2023-09-26T17:40:36Z

gzeon-c4 marked the issue as grade-c

#2 - c4-judge

2023-09-26T18:20:52Z

gzeon-c4 marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter