Platform: Code4rena
Start Date: 09/12/2021
Pot Size: $50,000 USDC
Total HM: 19
Participants: 21
Period: 7 days
Judge: 0xean
Total Solo HM: 14
Id: 61
League: ETH
Rank: 14/21
Findings: 3
Award: $931.68
🌟 Selected for report: 3
🚀 Solo Findings: 0
🌟 Selected for report: sirhashalot
Also found by: Jujic, sirhashalot
380.2618 USDC - $380.26
Jujic
Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.
When using one of these unsupported tokens, all transactions revert and the protocol cannot be used.
https://github.com/code-423n4/2021-12-sublime/blob/9df1b7c4247f8631647c7627a8da9bdc16db8b11/contracts/CreditLine/CreditLine.sol#L647 https://github.com/code-423n4/2021-12-sublime/blob/9df1b7c4247f8631647c7627a8da9bdc16db8b11/contracts/CreditLine/CreditLine.sol#L779
Use approve with a zero amount first before setting the actual amount.
IERC20(_collateralAsset).approve(_strategy, _amount); IERC20(_collateralAsset).approve(_strategy, 0);
#0 - ritik99
2021-12-27T04:50:12Z
Duplicate of #97
126.7539 USDC - $126.75
Jujic
The PriceCall calls out to a Chainlink oracle receiving the latestRoundData(). If there is a problem with Chainlink where the price is integer and may be below zero.
Recommend adding the following checks:
require( price1 > 0, "Chainlink price < 0");
#0 - ritik99
2022-01-08T13:52:11Z
Such a scenario is highly unlikely especially for commonly used price feeds. Additionally, as noted in the assumptions section of our contest repo, we assume oracles to be accurate
#1 - 0xean
2022-01-21T21:54:42Z
dupe of #50
🌟 Selected for report: Jujic
281.6754 USDC - $281.68
Jujic
There doesn't seem to be a use case for the existence of the receive() function. In fact, I will recommend removing it as it will prevent accidental native token transfers to the contract.
VSC
10.9563 USDC - $10.96
Jujic
Most contracts allow use of solc version 0.7.6, which is fairly dated.
Upgrading the solc compiler to 0.8 will give the latest compiler benefits including bug fixes, security enhancements and overall optimizations especially the in-built overflow/underflow checks which may give gas savings by avoiding expensive SafeMath.
Consider porting over code to solc >= 0.8.0 for bug fixes, security enhancements and overall optimizations for gas savings.
#0 - ritik99
2021-12-26T17:12:45Z
Duplicate of #39
🌟 Selected for report: Jujic
83.4956 USDC - $83.50
Jujic
You can use in one require several checks to save gas.
#0 - ritik99
2021-12-23T10:13:29Z
We can use a single require but will be retaining the current version for the sake of readability
37.573 USDC - $37.57
Jujic
Using the safeMath to avoid redundant arithmetic underflow/overflow checks to save gas when an underflow/overflow cannot happen.
if (_maxPossible > _currentDebt) { return _maxPossible.sub(_currentDebt);
Consider using:
if (_maxPossible > _currentDebt) { return _maxPossible - _currentDebt;
🌟 Selected for report: 0xngndev
Also found by: Jujic, WatchPug, robee, sirhashalot
10.9563 USDC - $10.96
Jujic
Shortening revert strings to fit in 32 bytes will decrease deployment time gas and will decrease runtime gas when the revert condition has been met.
Shorten the revert strings to fit in 32 bytes.
#0 - ritik99
2021-12-25T16:43:28Z
Duplicate of #47