Platform: Code4rena
Start Date: 16/02/2023
Pot Size: $144,750 USDC
Total HM: 17
Participants: 154
Period: 19 days
Judge: Trust
Total Solo HM: 5
Id: 216
League: ETH
Rank: 86/154
Findings: 1
Award: $61.26
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x3b, 0xAgro, 0xSmartContract, 0xTheC0der, 0xackermann, 0xnev, 0xsomeone, ABA, BRONZEDISC, Bjorn_bug, Bnke0x0, Breeje, Co0nan, CodeFoxInc, CodingNameKiki, DadeKuma, DeFiHackLabs, IceBear, Josiah, Kaysoft, Lavishq, MohammedRizwan, PaludoX0, PawelK, Phantasmagoria, Raiders, RaymondFam, Rickard, Rolezn, Sathish9098, SleepingBugs, SuperRayss, UdarTeam, Udsen, Viktor_Cortess, arialblack14, ast3ros, bin2chen, brgltd, btk, catellatech, ch0bu, chaduke, chrisdior4, codeislight, cryptonue, delfin454000, descharre, dontonka, emmac002, fs0c, hacker-dom, hansfriese, imare, lukris02, luxartvinsec, martin, matrix_0wl, peanuts, rbserver, shark, tnevler, trustindistrust, tsvetanovv, vagrant, yongskiws, zzzitron
61.2601 USDC - $61.26
./Dependencies/console.sol in BorrowerOperations.solconsole.sol is imported in BorrowerOperations.sol and it is not used.
File:
Consider removing unused import of console.sol in BorrowerOperations.sol
Remove all unused variables. Files:
The EThos-Core project uses the Solidity version 0.6.11 while the Ethos-Vault version uses the version 0.80. It is best practice to use the latest Solidity stable version as there will have been some security bug fixes and updates. see: https://swcregistry.io/docs/SWC-102
Files: All files
Consider using latest Solidity stable compiler version 0.8.17 for all the contracts.
Consider locking compiler versions by using pragma solidity 0.8.17; instead of pragma solidity ^0.8.0; in order not to deploy the contract with a different compiler version that is used to test the contract thereby introducing compiler bugs.
see: https://swcregistry.io/docs/SWC-103
Files:
All files in the Ethos-Vault project
Consider locking the pragma version by replacing pragma solidity ^0.8.0; with pragma solidity 0.8.17;
The compiler optimization is enabled in the project since it is set to true. Enabling compiler optimization can lead to security issues.
/** @type import('hardhat/config').HardhatUserConfig */ module.exports = { solidity: { compilers: [ { version: "0.8.11", settings: { optimizer: { enabled: true, runs: 200, }, }, }, ], },
Consider the amount of gas savings with this settings and weigh the tradeoff of not enabling the compiler optimization.
The ActivePool.sol smart contract inherits the Ownable contract. The Ownable smart contract do not have 2 step transfer of ownership which can lead to irecoverable mistake when new owner is set with a wrong address. Consider using Openzeppelin's Ownable2step contract instead of the Ownable contract. see: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/4fb6833e325658946c2185862b8e57e32f3683bc/contracts/access/Ownable2Step.sol#L32
/** * @dev Starts the ownership transfer of the contract to a new account. Replaces the pending transfer if there is one. * Can only be called by the current owner. */ function transferOwnership(address newOwner) public virtual override onlyOwner { _pendingOwner = newOwner; emit OwnershipTransferStarted(owner(), newOwner); } /** * @dev Transfers ownership of the contract to a new account (`newOwner`) and deletes any pending owner. * Internal function without access restriction. */ function _transferOwnership(address newOwner) internal virtual override { delete _pendingOwner; super._transferOwnership(newOwner); } /** * @dev The new owner accepts the ownership transfer. */ function acceptOwnership() public virtual { address sender = _msgSender(); require(pendingOwner() == sender, "Ownable2Step: caller is not the new owner"); _transferOwnership(sender); }
It is recommended to use specific named import like import {MyContract} from ./Files/Mycontract.sol instead of the global imports import ./Files/MyContract.sol
Both the EThos-Core and Ethos-Vault use the global imports which is not recommended because it makes it difficult to quickly figure out where modules are defined.
Files: All files
Most of the functions, contructors in Ethos-core and Ethos-Vault do not have Natspec commments. It is recommended by the Solidity Documentation that all Smart contracts are anotated using the NatSpec comments for all public functions.
see: Natspec Solidity Docs Files: Most functions of all files.
The Ethos-Core project used openzeppelin version 3.3.0 and the latest version of openzeppelin contract is 4.8.2
File: Ethos-core/package.json
- package.json "@openzeppelin/contracts": "^3.3.0"
rescueERC20 FUNCTION TO THE ReaperVaultV2 SMART CONTRACT IN ORDER TO RECOVER ANY ERC20 TOKEN MISTAKENLY SENT TO THE CONTRACTS ADDRESS./** * @notice Sends ERC20 tokens trapped in contract to external address * @dev Onlyowner is allowed to make this function call * @param account is the receiving address * @param externalToken is the token being sent * @param amount is the quantity being sent * @return boolean value indicating whether the operation succeeded. * */ function rescueERC20(address account, address externalToken, uint256 amount) public onlyOwner returns (bool) { IERC20(externalToken).transfer(account, amount); return true; } }
USE 1e18 instead of 10 ** 18;
File:
uint256 public constant DEGRADATION_COEFFICIENT = 10 ** 18;
Use 10_000 instead of 10000
File:
41: uint256 public constant PERCENT_DIVISOR = 10000;
The Solidity documentation style guide recommends 120 characters as maximum number of characters per line. Some lines exceed the recommended maximum number of characters per line. see: https://docs.soliditylang.org/en/latest/style-guide.html#maximum-line-length
File:
#0 - c4-judge
2023-03-08T15:53:04Z
trust1995 marked the issue as grade-b
#1 - c4-sponsor
2023-03-17T22:45:43Z
0xBebis marked the issue as sponsor confirmed