Platform: Code4rena
Start Date: 31/03/2022
Pot Size: $75,000 USDC
Total HM: 7
Participants: 42
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 5
Id: 102
League: ETH
Rank: 10/42
Findings: 2
Award: $411.81
đ Selected for report: 0
đ Solo Findings: 0
đ Selected for report: rayn
Also found by: 0xDjango, 0xkatana, 0xkowloon, BouSalman, CertoraInc, Dravee, Funen, Hawkeye, IllIllI, Jujic, Kenshin, Kthere, Meta0xNull, Sleepy, TerrierLover, async, aysha, berndartmueller, catchup, cccz, cmichel, csanuragjain, danb, defsec, georgypetrov, hake, hubble, kenta, kyliek, pauliax, rfa, robee, sahar, shenwilly, teryanarmen
332.9018 USDC - $332.90
1.Buffer won't be adjusted properly therefore buffer stored will be larger or smaller than expected :
We calculate the buffer stored :
in buffer() and the value that is stored comes from the minimum of two values :
The issue is with the ârateLimitPerSecondâ which is set in the constructor and through setRateLimit() which has limited checks on how the _maxRateLimitPerSecond and the rateLimitPerSecond should be set. If a maximum of zero is set then the rps threshold could not be set to anything above. Or if there was a maximum set, the rps could be set to 0 and would bypass the require check...
With this being said if the first value is used as the minimum of the two values within buffer() with the rps being zero:
bufferStored+(rateLimitPerSecond *elapsed)
would return a lower value than expected.
The opposite effect would occur for _replenishBuffer() as well :
This issue also affects the GlobalMinter and the amount of individualBuffer for the addresses that are set :
this function calls _depleteBuffer() and also individualBuffer() :
whose calculation will be incorrect if a zero value is used for the rps..
It also has explications for getMaxMintOut() in PSM.sol as the value returned would be incorrectly calculated based on the arguments put forward above.
Within the constructor in rateLimited.sol,
within require, add && maxRateLimitPerSecondâ 0 && rateLimitPerSecondâ 0 and bufferCapâ 0.
For the other setters in rateLimited.sol and the other contracts that inherit from it, add to the require, rateLimitPerSecondâ 0 and bufferCapâ 0
đ Selected for report: IllIllI
Also found by: 0v3rf10w, 0xNazgul, 0xkatana, 0xkowloon, CertoraInc, Dravee, Funen, Hawkeye, Jujic, Kenshin, Meta0xNull, Sleepy, TerrierLover, catchup, csanuragjain, defsec, georgypetrov, kenta, okkothejawa, rayn, rfa, robee, saian, samruna
78.9108 USDC - $78.91
Use unchecked block to save gas :
The require check prior to the aforementioned line would ensure that it doesn't underflow..