Back to K42's contests

DYAD - K42's results

The first capital efficient overcollateralized stablecoin.

General Information

Platform: Code4rena

Start Date: 18/04/2024

Pot Size: $36,500 USDC

Total HM: 19

Participants: 183

Period: 7 days

Judge: Koolex

Id: 367

League: ETH

DYAD

Findings Distribution

Researcher Performance

Rank: 75/183

Findings: 1

Award: $50.72

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDYAD

Findings Information

🌟 Selected for report: Bauchibred

Also found by: Al-Qa-qa, K42, SBSecurity, Sathish9098, VAD37, ZanyBonzy, albahaca, clara, niloy, oakcobalt, sxima

Labels

bug
grade-b
high quality report
QA (Quality Assurance)
Q-11

Awards

50.721 USDC - $50.72

External Links

Link to GitHub issue

QA Report for DYAD by K42

  • I made sure these are unique in relation to the 4naly3er report.

KerosineDenominator: Low Severity:

    1. The denominator function lacks specific input validation for the MAINNET_OWNER address. Consider adding a check to ensure it is not the zero address. Solution: Add a require statement to check if MAINNET_OWNER is not the zero address.

Non-Critical:

    1. The denominator function can be better simplified by directly returning the result of the subtraction. Solution: Modify the function to return kerosine.totalSupply() - kerosine.balanceOf(MAINNET_OWNER);.

VaultManagerV2: Low Severity:

    1. The add and addKerosene functions also lack input validation for the vault parameter. Consider adding a check to ensure it is not the zero address and is a contract address. Solution: Add a require statement to check if vault is not the zero address and is a contract address using address(vault).code.length > 0.
    1. The remove and removeKerosene functions allow removing a vault even if it has assets. This may eventually lead to unexpected behaviour or loss of funds. Solution: Consider adding a specific check to prevent removing a vault if it still holds assets.
    1. The deposit function does not check if the vault is a valid vault address. Solution: Add a specific check to ensure that the vault is a valid vault address before performing the deposit.

Non-Critical:

    1. The DepositedInSameBlock error is not defined in the contract. Define the error to improve clarity and consistency. Solution: Define the DepositedInSameBlock error in the contract.
    1. The Initializable contract is imported but not used. Remove the unused import to improve code readability. Solution: Remove the unused import statement for Initializable.
    1. The idToBlockOfLastDeposit mapping is not used in the deposit function. Solution: Consider removing the idToBlockOfLastDeposit mapping if it is not needed.

KerosineManager: Low Severity:

    1. The add function also lacks input validation for the vault parameter. Consider adding a check to ensure it is not the zero address and is a contract address. Solution: Add a require statement to check if vault is not the zero address and is a contract address using address(vault).code.length > 0.

Non-Critical:

    1. The VaultAlreadyAdded error message is not descriptive enough. Consider providing more information about the vault that was already added. Solution: Update the error message to include the address of the vault that was already added.
    1. The remove function does not emit an event when a vault is removed. Solution: Consider emitting an event when a vault is successfully removed to improve transparency.

BoundedKerosineVault: Low Severity:

    1. The assetPrice function relies on the unboundedKerosineVault contract, which may not be set or could be changed unexpectedly. Consider adding specific checks to ensure the contract is properly initialized and immutable. Solution: Add a require statement to check if unboundedKerosineVault is properly initialized and consider making it immutable.
    1. The setUnboundedKerosineVault function allows setting the unboundedKerosineVault to the zero address. Solution: Add a check to ensure that the _unboundedKerosineVault address is not the zero address.

Non-Critical:

    1. The NotWithdrawable error is not used consistently in the contract. Solution: Consider removing the NotWithdrawable error if it is not needed or use it consistently.

UnboundedKerosineVault: Low Severity:

    1. The assetPrice function iterates over an unbounded array of vaults, which may lead to high gas consumption or potential denial of service if the number of vaults grows large. Solution: Consider implementing pagination or limiting the number of vaults processed in a single call to mitigate the risk.
    1. The setDenominator function allows setting the kerosineDenominator to the zero address. Solution: Add a check to ensure that the _kerosineDenominator address is not the zero address.

Non-Critical:

    1. The assetPrice function lacks proper error handling for cases where the denominator is zero. Consider adding a check to prevent division by zero. Solution: Add a require statement to check if the denominator is not zero before performing the division.

#0 - c4-pre-sort

2024-04-28T09:57:28Z

JustDravee marked the issue as high quality report

#1 - c4-judge

2024-05-05T17:06:17Z

koolexcrypto marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter