Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 34/101
Findings: 1
Award: $33.67
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
33.6679 USDC - $33.67
address(0) and 0 value variable checkaddress(0) check is an best practice that can prevent attack by default variable. In some case lack of address(0) check can be fatal(recalling the Nomad hack). it can prevent deploying contract with wrong constructor parameters too.
Mitigation this issue can be mitigated with these example code below
require(addr != address(0),"AddressZero"); require(num != 0, "0 input");
Instance: RariMerkleRedeemer.sol
TribeRedeemer.sol
SimpleFeiDaiPSM.sol
In SimpleFeiDaiPSM.sol there's a check that unnecessary. check will only make contract difficult to operate without real effect for the contract.
Mitigation: the logic can be delete since has no effect for the contract
NOTE: If the parameter can't be deleted (due to pattern for example). it can included in the function and give it a comment. example:
function mint( address to, uint256 amountIn, uint256 minAmountOut ///unused variable ) external returns (uint256 amountFeiOut) { minAmountOut; /// the reason for not using the variable ...// next implementation }
Instance: SimpleFeiDaiPSM.sol
pure functionUnnecessary function can be deleted for more clean and readable code. the data that give in this function can be added to frond-end instead.
Mitigation: can be deleted
Instance: SimpleFeiDaiPSM.sol
60 /// @notice calculate the amount of FEI out for a given `amountIn` of underlying 61 function getMintAmountOut(uint256 amountIn) external pure returns (uint256) { 62 return amountIn; 63 } 64 65 66 /// @notice calculate the amount of underlying out for a given `amountFeiIn` of FEI 67 function getRedeemAmountOut(uint256 amountIn) external pure returns (uint256) { 68 return amountIn; 69 }
import that ain't use in the contract can make contract more complex. i recommend to delete it instead if it doesn't have effect for the contract.
Mitigation: can be deleted
Instance: RariMerkleRedeemer.sol
import "@openzeppelin/contracts/utils/cryptography/SignatureChecker.sol";
indexed mark on event parameterindexed parameter in event can very helpfull for indexing data offchain. In some instance below developer forget to add indexed mark in some event parameter.
Mitigation:
add indexed mark
example:
event Something(address indexed addr);
Instance: SimpleFeiDaiPSM.sol
26 /// @notice event emitted upon a redemption 27 event Redeem(address to, uint256 amountFeiIn, uint256 amountAssetOut); 28 /// @notice event emitted when fei gets minted 29 event Mint(address to, uint256 amountIn, uint256 amountFeiOut);