Platform: Code4rena
Start Date: 09/12/2022
Pot Size: $36,500 USDC
Total HM: 9
Participants: 69
Period: 3 days
Judge: Picodes
Total Solo HM: 2
Id: 190
League: ETH
Rank: 40/69
Findings: 2
Award: $53.17
π Selected for report: 0
π Solo Findings: 0
π Selected for report: 0xSmartContract
Also found by: 0Kage, 0x52, 0xAgro, 0xNazgul, 0xTraub, 0xhacksmithh, Awesome, Aymen0909, Bnke0x0, Englave, Janio, Mukund, Parth, RaymondFam, Rolezn, SmartSek, Tointer, UdarTeam, Udsen, Zarf, caventa, chaduke, csanuragjain, deliriusz, gz627, idkwhatimdoing, izhelyazkov, joestakey, neumo, obront, oyc_109, rvierdiiev, shark, trustindistrust, wait, yongskiws
28.124 USDC - $28.12
The owner of PrePOMarket contract can change at any point in time mint and redeem hooks, which could lead to unexpected behavior. The same is applicable for Collateral contract.
WithdrawHook can update collateral, depositRecord contracts implementations.
DepositHook can update collateral and depositRecord contract implementations.
Itβs recommended to set the implementations once and not allow further modifications, to keep contract predictability and stability.
Path: ./contract/PrePOMarket.sol; ./contract/Collateral.sol
#0 - c4-judge
2022-12-19T14:17:10Z
Picodes marked the issue as grade-c
#1 - c4-judge
2022-12-19T14:17:21Z
Picodes marked the issue as grade-b
#2 - ramenforbreakfast
2022-12-22T00:18:27Z
This result should be disregarded, it is just a short statement about the high amount of embedded trust in our architecture and should not be considered for assessment.
#3 - c4-sponsor
2022-12-22T00:18:31Z
ramenforbreakfast marked the issue as sponsor disputed
π Selected for report: ReyAdmirado
Also found by: 0xSmartContract, 0xTraub, Aymen0909, Englave, Mukund, RHaO-sec, RaymondFam, Rolezn, Sathish9098, Tomio, UdarTeam, chaduke, dharma09, gz627, martin, nadin, pavankv, rjs, saneryee
25.0472 USDC - $25.05
nonReentrant modifier could be removed after functions execution order changes to save Gas.
PrePOMarket.mint interacts with contracts, owned by the client, except collateral. collateral.transferFrom(msg.sender, address(this), _amount) should be moved to the last line before emit Mint, to prevent potential reentrancy.
PrePOMarket.redeem
Collateral.managerWithdraw interacts with managerWithdrawHook, owned by the client, so external call to baseToken would cause no problems.
Collateral.withdraw interacts with baseToken after state changes, so reentrancy not dangerous.
Collateral.deposit interacts with baseToken before state changes, but itβs safe to move this block after _mint and before emit Deposit to prevent any damage from reentrancy:
baseToken.transferFrom(msg.sender, address(this), _amount); if (address(depositHook) != address(0)) { baseToken.approve(address(depositHook), _fee); depositHook.hook(_recipient, _amount, _amountAfterFee); baseToken.approve(address(depositHook), 0); }
#0 - c4-judge
2022-12-19T13:19:25Z
Picodes marked the issue as grade-b
#1 - c4-sponsor
2022-12-22T10:18:37Z
davidprepo marked the issue as sponsor disputed
#2 - ghost
2022-12-22T10:18:56Z
I think we'd rather keep the non reentrancy modifier for readability.