Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 101/101
Findings: 1
Award: $33.58
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
33.5761 USDC - $33.58
In the contracts, floating pragmas should not be used. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively. Proof of Concept https://swcregistry.io/docs/SWC-103 Contracts: https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/peg/SimpleFeiDaiPSM.sol#L2 https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/shutdown/redeem/TribeRedeemer.sol#L2
Recommended Mitigation Steps Lock the pragma version.
Impact If two variables with the same name exist in a function, but one is imported from another contract while the other is created locally, it is unclear which value is being used or should be used. Avoiding variable name collisions avoids confusion and the risks of using the wrong variable. https://swcregistry.io/docs/SWC-119 Proof of Concept https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/shutdown/fuse/MerkleRedeemerDripper.sol#L11 (_core ) shadows https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/refs/CoreRef.sol#L11
Recommended Mitigation Steps Rename local variables to avoid shadowing. For instance, add an underscore in front of the name of local variables.
While the codebase does a great job of input validation for parameters of all kinds and especially addresses, there are a few places where zero-address validations are missing. None of them are catastrophic, will result in obvious reverts and can be reset given the permissioned/controlled interactions with the contracts. Nevertheless, it is helpful to add zero-address validations to be consistent and ensure high availability of the protocol with resistance to accidental misconfigurations.
POC