Platform: Code4rena
Start Date: 16/12/2022
Pot Size: $60,500 USDC
Total HM: 12
Participants: 58
Period: 5 days
Judge: Trust
Total Solo HM: 4
Id: 196
League: ETH
Rank: 38/58
Findings: 1
Award: $43.54
đ Selected for report: 0
đ Solo Findings: 0
đ Selected for report: yixxas
Also found by: 0x52, 0xAgro, 0xSmartContract, 0xhacksmithh, Aymen0909, Bnke0x0, Bobface, Breeje, Diana, Franfran, HE1M, HollaDieWaldfee, IllIllI, Jeiwan, RaymondFam, Rolezn, SaharDevep, Secureverse, SmartSek, ak1, bin2chen, brgltd, chrisdior4, gz627, imare, ladboy233, lukris02, oyc_109, rvierdiiev, shark, tnevler, unforgiven, wait
43.5439 USDC - $43.54
Use OpenZeppelinâs ECDSA contract rather than calling ecrecover() directly
There is 1 instance of this issue
File: src/ReservoirOracleUnderwriter.sol 68: address signerAddress = ecrecover(
Use scientific notation (eg. 1e18) rather than exponentiation (eg. 10 ** 18) Scientific notation should be used for better code readability
There are 2 instances of this issue
File: src/PaprController.sol 87: initSqrtRatio = UniswapHelpers.oneToOneSqrtRatio(underlyingONE, 10 ** 18); 89: initSqrtRatio = UniswapHelpers.oneToOneSqrtRatio(10 ** 18, underlyingONE);
Use abi.encode() instead which will pad items to 32 bytes, which will prevent hash collisions
âUnless there is a compelling reason, abi.encode should be preferredâ. If there is only one argument to abi.encodePacked() it can often be cast to bytes() or bytes32() instead.
There are 2 instances of this issue
File: src/ReservoirOracleUnderwriter.sol 68-86: address signerAddress = ecrecover( keccak256( abi.encodePacked( "\x19Ethereum Signed Message:\n32", // EIP-712 structured-data hash keccak256( abi.encode( keccak256("Message(bytes32 id,bytes payload,uint256 timestamp)"), oracleInfo.message.id, keccak256(oracleInfo.message.payload), oracleInfo.message.timestamp ) ) ) ), oracleInfo.sig.v, oracleInfo.sig.r, oracleInfo.sig.s );
File: src/libraries/PoolAddress.sol 33-46: pool = address( uint160( uint256( keccak256( abi.encodePacked( hex"ff", factory, keccak256(abi.encode(key.token0, key.token1, key.fee)), POOL_INIT_CODE_HASH ) ) ) ) );
The afunctions that change critical parameters should emit events. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them and consider if they would like to engage/exit based on how they perceive the changes as affecting the trustworthiness of the protocol or profitability of the implemented financial services. The alternative of directly querying on-chain contract state for such changes is not considered practical for most users/usages.
Missing events and timelocks do not promote transparency and if such changes immediately affect usersâ perception of fairness or trustworthiness, they could exit the protocol causing a reduction in liquidity which could negatively impact protocol TVL and reputation.
There is 1 instance of this issue
File: src/PaprController.sol 361: liquidationsLocked = locked;
In the contracts, floating pragmas should not be used. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
This issue exists in all the In-scope contracts
Lock the pragma version
It's a best practice to use the latest compiler version.
The specified minimum compiler version is quite old. Older compilers might be susceptible to some bugs. We recommend changing the solidity version pragma to the latest version to enforce the use of an up to date compiler.
List of known compiler bugs and their severity can be found here:Â https://etherscan.io/solcbuginfo
This issue exists in the following In-scope contracts: NFTEDA.sol, EDAPrice.sol, INFTEDA.sol, NFTEDAStarterIncentive.sol, UniswapHelpers.sol, PoolAddress.sol, OracleLibrary.sol, IUniswapOracleFundingRateController.sol, IPaprController.sol, IFundingRateController.sol
#0 - c4-judge
2022-12-25T16:14:03Z
trust1995 marked the issue as grade-b