Platform: Code4rena
Start Date: 07/04/2022
Pot Size: $100,000 USDC
Total HM: 20
Participants: 62
Period: 7 days
Judge: LSDan
Total Solo HM: 11
Id: 107
League: ETH
Rank: 26/62
Findings: 3
Award: $339.14
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Wayne
Also found by: Cr4ckM3, PPrieditis, hyh, rayn, smiling_heretic
noContractnoContract modifier is used in farming/LPFarming.sol#L85 to prevent non-whitelisted contracts to interact with the LP farm. But isContract check can be bypassed with a contract executing constructor code.
require(msg.sender == tx.origin) may be a better choice.
#0 - spaghettieth
2022-04-11T17:27:46Z
Duplicate of #11
25.7805 USDC - $25.78
https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/vaults/NFTVault.sol#L459
According to Chainlink's documentation, the latestAnswer function is deprecated. This function does not error if no answer has been reached but returns 0.
It's same as a medium risk issue in other C4 contest
N/A
Use the new latestRoundData function to get the price instead. Add checks on the return data with proper revert messages if the price is stale or the round is uncompleted, for example:
(uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = oracle.latestRoundData(); require(answeredInRound >= roundID, "..."); require(timeStamp != 0, "...");
#0 - spaghettieth
2022-04-11T15:33:51Z
Duplicate of #4
🌟 Selected for report: Dravee
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xkatana, Cityscape, Cr4ckM3, FSchmoede, Foundation, Funen, Hawkeye, IllIllI, JMukesh, Meta0xNull, PPrieditis, Picodes, TerrierLover, Tomio, WatchPug, berndartmueller, catchup, delfin454000, dirk_y, ellahi, hickuphh3, ilan, kebabsec, kenta, nahnah, rayn, rfa, robee, rokinot, saian, securerodd, slywaters, sorrynotsorry
80.5853 USDC - $80.59
onlyOwnerhttps://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/farming/LPFarming.sol#L363
As we always revert in renounceOwnership(), onlyOwner check can be removed.