Back to Cityscape's contests

Alchemix contest - Cityscape's results

A protocol for self-repaying loans with no liquidation risk.

General Information

Platform: Code4rena

Start Date: 05/05/2022

Pot Size: $125,000 DAI

Total HM: 17

Participants: 62

Period: 14 days

Judge: leastwood

Total Solo HM: 15

Id: 120

League: ETH

Alchemix

Findings Distribution

Researcher Performance

Rank: 37/62

Findings: 2

Award: $267.84

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAlchemix

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xkatana, 0xsomeone, AuditsAreUS, BouSalman, BowTiedWardens, Cityscape, Funen, GimelSec, Hawkeye, JC, MaratCerby, MiloTruck, Picodes, Ruhum, TerrierLover, WatchPug, Waze, bobirichman, catchup, cccz, cryptphi, csanuragjain, delfin454000, ellahi, fatherOfBlocks, hake, horsefacts, hyh, jayjonah8, joestakey, kebabsec, kenta, mics, oyc_109, robee, samruna, shenwilly, sikorico, simon135, throttle, tintin

Awards

178.6573 DAI - $178.66

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Low-Risk

Use _grantRole instead of _setupRole

according to openzeppelin documentation: https://docs.openzeppelin.com/contracts/4.x/api/access, _setupRole() is only to be called from the constructor while _grantRole() is to be called anywhere else, doing otherwise is circumventing the admin system.

This vulnerability is present on the following lines.

https://github.com/code-423n4/2022-05-alchemix/blob/71abbe683dfd5c0686b7e594fb4f78a14b668d8b/contracts-full/AlchemicTokenV1.sol#L102

https://github.com/code-423n4/2022-05-alchemix/blob/71abbe683dfd5c0686b7e594fb4f78a14b668d8b/contracts-full/AlchemicTokenV2.sol#L129

https://github.com/code-423n4/2022-05-alchemix/blob/71abbe683dfd5c0686b7e594fb4f78a14b668d8b/contracts-full/AlchemicTokenV2Base.sol#L142

Non-Critical

Function _getExchangedBalance lacks NatSpec

https://github.com/code-423n4/2022-05-alchemix/blob/71abbe683dfd5c0686b7e594fb4f78a14b668d8b/contracts-full/TransmuterV2.sol#L554

Variable normaizedAmount is mispelled

considering the variable normaizedAmount is a return from the function _normalizeUnderlyingTokensToDebt() I believe it is appropriate to change the name of the variable to normalizedAmount, for consistency and clarity.

https://github.com/code-423n4/2022-05-alchemix/blob/71abbe683dfd5c0686b7e594fb4f78a14b668d8b/contracts-full/TransmuterV2.sol#L251

#0 - 0xfoobar

2022-05-30T07:56:19Z

Useful comment on _setupRole vs _grantRole

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xf15ers, 0xkatana, 0xsomeone, AlleyCat, BowTiedWardens, Cityscape, Fitraldys, Funen, GimelSec, Hawkeye, JC, MaratCerby, MiloTruck, Randyyy, TerrierLover, Tomio, UnusualTurtle, WatchPug, Waze, _Adam, augustg, bobirichman, catchup, csanuragjain, ellahi, fatherOfBlocks, hake, hansfriese, horsefacts, ignacio, joestakey, kenta, mics, oyc_109, robee, samruna, sashik_eth, sikorico, simon135, throttle

Awards

89.1839 DAI - $89.18

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Gas Optimizations

Named Returns

function _getExchangedBalance(address owner) internal view returns (uint256 exchangedBalance) {

proposed change:

function _getExchangedBalance(address owner) internal view returns (uint256) {

https://github.com/code-423n4/2022-05-alchemix/blob/71abbe683dfd5c0686b7e594fb4f78a14b668d8b/contracts-full/TransmuterV2.sol#L554

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter