Platform: Code4rena
Start Date: 11/05/2022
Pot Size: $150,000 USDC
Total HM: 23
Participants: 93
Period: 14 days
Judge: LSDan
Total Solo HM: 18
Id: 123
League: ETH
Rank: 29/93
Findings: 2
Award: $253.64
đ Selected for report: 0
đ Solo Findings: 0
đ Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 242, AlleyCat, BouSalman, BowTiedWardens, CertoraInc, Chom, Cityscape, FSchmoede, Funen, GimelSec, Hawkeye, JC, JDeryl, Kaiziron, Kthere, Kumpa, MaratCerby, MiloTruck, Nethermind, NoamYakov, PPrieditis, QuantumBrief, Rolezn, Ruhum, SmartSek, SooYa, Tadashi, TerrierLover, WatchPug, Waze, _Adam, asutorufos, berndartmueller, bobirichman, c3phas, catchup, cccz, ch13fd357r0y3r, cryptphi, csanuragjain, cthulhu_cult, defsec, delfin454000, ellahi, fatherOfBlocks, hansfriese, hubble, hyh, jayjonah8, joestakey, kenta, kenzo, kirk-baird, mics, oyc_109, p_crypt0, reassor, robee, sach1r0, samruna, sashik_eth, sikorico, simon135, sorrynotsorry, sseefried, tintin, unforgiven, z3s, zmj
170.3748 USDC - $170.37
Aura.sol
Correct to âdistributedâ.
AuraLocker.sol
Should be âIndividualâ :
âcontainâ instead of âcontainsâ :
AuraMath.sol
Remove âofâ:
ExtraRewardsDistributor.sol
Remove âĎâ:
AuraStakingProxy.sol
Correct âconversâ to âconverts it to and distributes it to â:
AuraVestedEscrow.sol
Correct âArraryâ :
CrvDepositor.sol
Correct to âstakerâ:
Correct to âlockâ instead of âlockingâ :
âForâ not âfroâ :
Change incorrect spelling to âSeparateâ :
BaseRewardPool.sol
Booster.sol
âof a senderâsâ
âSeparateâ
Use an apostrophe for âsender'sâ or âsendersâ â :
ExtraRewardStashV3.sol
Correct to âgaugesâ
âdistributesâ:
AuraBalRewardPool.sol
Missing @param tag for _startDelay:
CrvDepositor.sol
â â @param tag for to:
Every letter in the variable name should be capitalised and or underscores used to separate words.
AuraBalRewardPool.sol
AuraLocker.sol
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L81-L83
AuraStakingProxy.sol
CrvDepositor.sol
There are two separate words in MAXTIME(short for Maximum Time). Therefore, use an underscore to delineate the words.
BaseRewardPool.sol
Booster.sol
ExtraRewardStashV3.sol
StashFactoryV2.sol
VirtualBalanceRewardPool.sol
It is recommended that the uppercase or uppercase with underscores is used for constants :
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/CrvDepositorWrapper.sol#L26-L30
Most, if not all the other contracts, make use of the mixedCase.So,it will be more uniformed if its usage is continued.
No need to assign them.
AuraBalRewardPool.sol
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L38-L39
AuraLocker.sol
AuraMerkleDrop.sol
ExtraRewardsDistributor.sol
AuraVestedEscrow.sol
CrvDepositor.sol
BaseRewardPool.sol
Booster.sol
VirtualBalanceRewardPool
VoterProxy.sol
change to ârewardTokenâ
The comment for approveRewardDistributor() clearly states that the mentioned function should modify approvals for a distributor, ie revoke or give permission to an address to distribute rewards but the function name demonstrates a one sided role.Therefore change the name to reflect the function's dual role.
Also, consider emitting an event to alert relevant parties when a distributor is approved or disapproved.
Check whether the old address is the same as the new address
cache old address in a local variable and either use :
if(oldDaoâ _newDao) {
dao=_newDao;
}
Apply the same changes to the following contracts with modification to variable names for the aforementioned functions :
AuraMerkleDrop.sol
AuraStakingProxy.sol
and consider emitting an event when the crvDepositorWrapper is changed.
also, it is recommended to emit an event for this function as well.
AuraVestedEscrow.sol
If there's a missing amount for a recipient address, the mapping will not contain the amount attributable to the address nor will it be added to the totalAmount :
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraVestedEscrow.sol#L103-L104
And therefore less will be sent to the AuraVestedEscrow contract if there's a non-zero value but it was not added to the array:
Use require(_recipients.length==_amount.length,âmismatchâ) prior to the loop.
Similar case for distribute ()
ArbitratorVault.sol
Due to an incorrect value set : https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L26
The balance will be unlocked a day earlier than it should actually be. MAXTIME is calculated using 364 days, instead of 365 days which is standard for a year.
This value is used to calculate unlock At which is subsequently stored in the state variable unlockTime. initialiseLock() and lockCurve() relies on this value. It would be imperative that the unlock time is calculated properly, as the intent is for the lock period to be a year.
A similar finding was mentioned here
https://github.com/code-423n4/2022-03-paladin-findings/issues/4
đ Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, BowTiedWardens, CertoraInc, DavidGialdi, FSchmoede, Fitraldys, Funen, GimelSec, Hawkeye, JC, Kaiziron, Kthere, MaratCerby, MiloTruck, NoamYakov, QuantumBrief, Randyyy, Ruhum, SmartSek, SooYa, Tadashi, TerrierLover, Tomio, UnusualTurtle, WatchPug, Waze, _Adam, antonttc, asutorufos, bobirichman, c3phas, catchup, csanuragjain, cthulhu_cult, defsec, delfin454000, ellahi, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, kenta, marcopaladin, mics, minhquanym, orion, oyc_109, reassor, rfa, robee, sach1r0, samruna, sashik_eth, sikorico, simon135, unforgiven, z3s, zmj
83.2689 USDC - $83.27
I. pendingPenalty will be accessed unnecessarily if there's no penalty stored. To prevent continuous access of the state variable and it being updated to zero(already the default), check whether there's any penalty before resetting to zero.
AuraBalRewardPool.sol
Add the following lines to forwardPenalty() :
if (toForward>0){
pendingPenalty = 0; }
The same applies for :
AuraMerkleDrop.sol
II. epochIndex already caches the length of the epoch. Therefore, replace all reference to the state variable below with the local variable:
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L334-L335
III.Utilise unchecked block to save gas
The calculation for penalty will always be the smallest of the two operands :
AuraMerkleDrop.sol
AuraBalRewardPool.sol
Remove AuraMath.sub() as the condition necessitates that rdata.periodFinish is the larger operand and will not underflow:
AuraVestedEscrow.sol