Platform: Code4rena
Start Date: 09/09/2021
Pot Size: $100,000 SUSHI
Total HM: 4
Participants: 11
Period: 7 days
Judge: ghoulsol
Total Solo HM: 3
Id: 28
League: ETH
Rank: 6/11
Findings: 3
Award: $5,314.71
🌟 Selected for report: 2
🚀 Solo Findings: 1
🌟 Selected for report: JMukesh
448.7306 SUSHI - $4,500.77
JMukesh
Use of transfer() might render ETH impossible to withdraw becuase after istanbul hardfork , there is increases in the gas cost of the SLOAD operation and therefore breaks some existing smart contracts.Those contracts will break because their fallback functions used to consume less than 2300 gas, and they’ll now consume more, since 2300 the amount of gas a contract’s fallback function receives if it’s called via Solidity’s transfer() or send() methods. Any smart contract that uses transfer() or send() is taking a hard dependency on gas costs by forwarding a fixed amount of gas: 2300.
https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
https://blog.openzeppelin.com/opyn-gamma-protocol-audit/
manual review
use call() to send eth
#0 - maxsam4
2021-09-16T05:26:44Z
This is intentional, not a risk. The contract does not want to give any gas stipend to the destination.
even if the user messes up, misoDev address can be changed to a proper address later.
#1 - ghoul-sol
2021-10-05T18:20:27Z
using .transfer can make ETH transfer to a smart contract impossible. User can always change the address however I agree with warden that this is an issue.
67.3096 SUSHI - $675.12
JMukesh
due to lack of necessary check in executeBatch() , any account with the EXECUTOR role can set themselves as PROPOSER and ADMIN of the Timelock, and set the minimum delay to zero
more you can see on : https://forum.openzeppelin.com/t/timelockcontroller-vulnerability-post-mortem/14958
manual review
add check-effects-interaction pattern before and after call()
#0 - Clearwood
2021-09-16T04:41:17Z
As the TimeLock Controller is currently used nowhere in the project and its a known issue, I would propose to put down the severity of this issue.
#1 - Clearwood
2021-09-16T05:05:33Z
Duplicate of #24
🌟 Selected for report: JMukesh
13.8408 SUSHI - $138.82
JMukesh
variable that are not used in function should be removed
uint256 duration = 1000; in MisoRecipe01.sol
manual review
remove unused local variable