Platform: Code4rena
Start Date: 08/06/2022
Pot Size: $115,000 USDC
Total HM: 26
Participants: 72
Period: 11 days
Judge: leastwood
Total Solo HM: 14
Id: 132
League: ETH
Rank: 51/72
Findings: 1
Award: $163.33
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: BowTiedWardens
Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Chom, ElKu, Funen, IllIllI, JMukesh, Jujic, Kaiziron, Lambda, MiloTruck, Ruhum, SmartSek, SooYa, TerrierLover, TomJ, WatchPug, Waze, _Adam, asutorufos, auditor0517, bardamu, c3phas, catchup, cccz, ch13fd357r0y3r, cloudjunky, cmichel, cryptphi, csanuragjain, defsec, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, k, kenta, obtarian, oyc_109, robee, sach1r0, shenwilly, simon135, slywaters, sorrynotsorry, tintin, unforgiven, xiaoming90, zzzitron
163.3266 USDC - $163.33
function _originAndNonce(uint32 _origin, uint32 _nonce) internal pure returns (uint64) {
return (uint64(_origin) << 32) | _nonce; }
In comment it mention the return value should be (_origin << 32) & _nonce
but in function it is (uint64(_origin) << 32) | _nonce;
manual review
upadate the comment wrt current functionality, since (_origin << 32) & _nonce it returns 0 value irrespective of any input
`function setAggregators(address[] calldata tokenAddresses, address[] calldata sources) external onlyAdmin {
// @audit --> add the checks for the length for (uint256 i = 0; i < tokenAddresses.length; i++) { aggregators[tokenAddresses[i]] = AggregatorV3Interface(sources[i]); emit AggregatorUpdated(tokenAddresses[i], sources[i]); }
} ` due to lack of checks , whether both arrays length are equal or not, it may cause function to fail
manual review
add the checks for the length
There is no checking of address array in setAggregator() , it may contain duplicate address or zero address due which function may get failed
manual review
check the address before using it in loop
Lack of two-step procedure for critical operations leaves them error-prone if the address is incorrect, the new address will take on the functionality of the new role immediately
for Ex : -Alice deploys a new version of the whitehack group address. When she invokes the whitehack group address setter to replace the address, she accidentally enters the wrong address. The new address now has access to the role immediately and is too late to revert
https://raw.githubusercontent.com/trailofbits/publications/master/reviews/hermez.pdf
manual review
use a two-step procedure for all non-recoverable critical operations to prevent
irrecoverable mistakes.
Initialize() , Initializes important contract state that can be called by anyone. Since it lacks an access modifier, an attacker can initialize the contract before the legitimate deployer.
contracts which uses initialize(), they all lack access modifier some of the links are:
manual review
add access modifier in intialize function