Platform: Code4rena
Start Date: 09/01/2024
Pot Size: $100,000 USDC
Total HM: 13
Participants: 28
Period: 28 days
Judge: 0xsomeone
Total Solo HM: 8
Id: 319
League: ETH
Rank: 21/28
Findings: 1
Award: $134.17
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xTheC0der
134.1716 USDC - $134.17
TODOs are still left in the codebaseThere are 3 instances of these
The presence of TODOs comments in a codebase indicates unfinished work on the codebase.
File: src/core/seer.cairo 216: // TODO: when possible in Cairo, fetch_price should be wrapped 217: // in a try-catch block so that an exception does not 218: // prevent all other price updates
File: src/core/shrine.cairo 680: // TODO: temporary workaround for issue with borrowing snapshots in loops 1667: // TODO: temporary workaround for issue with borrowing snapshots in loops
Recommendation:
Consider implementing all necessary TODOs and remove the TODO comments in the codebase.
starknet package to update the Cairo compiler.There is 1 instance of this
It is important to use latest version of softwares as they would have latest security fixes and updates.
The starknet package of scarb includes a Cairo compiler plugin and the version of the starknet package is coupled to Cairo version included in Scarb.
As of the time of writting this report the 2.5.3 is the latest version of scarb which has the latest version of Cairo compiler in the starknet package.
Each scarb update version comes with the same version of Cairo compiler so scarb version 2.5.3 comes with Cairo compiler version 2.5.3.
See scarb releases
This version of Scarb comes with Cairo v2.5.3
However this project used version 2.4.0 of the starknet package when there are 9 more updated version releases after the version 2.4.0.
In Addition, the version 2.4.0 of scarb that is used in this project has a warning on it. You can find the link here
Warning This version is not yet supported on Starknet! If you want to develop contracts >deployable to current Starknet, please stick with Scarb v2.3.1
[dependencies] starknet = "2.4.0"
Recommendation:
Consider using the latest version 2.5.3 of the starknet package to update the Cairo compiler version.
There are 4 instances of this
decimals is not part of ERC20 specifications. However this codebase assumes every ERC20 implements the decimals state variable and function
Impact:
Transactions will revert for ERC20 tokens that do not implement decimals property and function because it OPTIONAL according to the specification.
Recommendation:
Consider getting decimals in a try catch block or manually ensure every token that will be used implements the function.
transfer(...) not checked.There are 4 instances of these
From the ERC20 interface, the transfer(...) returns a boolean that indicates the success of the token transfer.
However the project does not check the return value of transfer of asset to ensure it returns true.
An example is in the sweep function of transmuter.cairo below.
File: transmuter.cairo 417: fn settle(ref self: ContractState) { ... //@audit return value not checked 448: @> asset.transfer(receiver, asset.balance_of(transmuter)); 449: 450: // Emit event 451: self.emit(Settle { deficit: total_transmuted }) 452: }
Impact: Loss of asset when the transfer of an asset returns false.
Recommendation:
Consider checking the return values of the token transfer(...) to ensure assets are successfully transferred.
There are 5 instances of this.
ERC20 token on the codebase is done with the assumption that ERC20 tokens on the starknet mainnet used the Rust-like snake-case functions.
However most top tokens on the Starknet mainnet including the WBTC, ETH and WstETh tokens use the Camelcase naming.
This will make the integrations done with .balance_of(...) and transfer_from(...) revert because those functions are not present in the WBTC, Eth and WstEth tokens.
an example is in the gate.enter(...) function.
//@audit WBtc does not have transfer_from function but transferFrom File: gate.cairo let success: bool = self.asset.read().transfer_from(user, get_contract_address(), asset_amt.into());
Another example is in the transmuter.cairo for pulling ERC20 asset
File: transmuter.cairo //@audit WBtc does not have transfer_from function but transferFrom 351: let success: bool = self.asset.read().transfer_from(user, get_contract_address(), asset_amt.into());
One more example is getting the balance of an asset in transmuter.cairo
File: transmuter.cairo //@audit WBtc does not have balance_of function but balanceOf let asset_balance: u128 = asset.balance_of(get_contract_address()).try_into().unwrap();
Impact: Most functions will revert and be unusable because of the assumption that the tokens implemented snake-cased balance_of and transfer_from.
Recommendation: Consider implementing both snake-case and camel case integration for interoperability. The convention used by each token can be saved along with each trove data.
There are 5 instances of this.
The construstors and some functions in the codebase update state without emitting events. For example in abbot.cairo, the contructor, deposit and withdraw functions update state without emitting events.
Emiting events helps offchain monitoring tools like Openzeppelin Defender Sentinel monitor activities in order to detect unusual malicious contracts state updates.
Recommendation: Consider emitting event for important state updates.
#0 - c4-pre-sort
2024-02-09T17:00:31Z
bytes032 marked the issue as sufficient quality report
#1 - c4-judge
2024-02-26T18:08:16Z
alex-ppg marked the issue as grade-b