Platform: Code4rena
Start Date: 24/03/2022
Pot Size: $75,000 USDC
Total HM: 15
Participants: 59
Period: 7 days
Judge: gzeon
Id: 103
League: ETH
Rank: 36/59
Findings: 3
Award: $252.50
π Selected for report: 0
π Solo Findings: 0
π Selected for report: hake
Also found by: Kenshin, Ruhum, VAD37, WatchPug, csanuragjain, hickuphh3, hyh, kirk-baird, obront, pmerkleplant, rayn, shw, tintin, wuwe1
77.3842 USDC - $77.38
The swap() can be separated in 2 paths, swap native to ERC20, or swap ERC20 to native. The contract performs a fromAssetId balance check before calling swap, mean that the attacker could periodically check for ERC20 token balance that was left in the contract then call for a swap by that amount to get free natives as a result.
The swap() should ignore the balance in the contract, transfer the supplied fromAmount to the contract and swap by that amount.
#0 - H3xept
2022-04-12T08:38:58Z
Duplicate of #66
We are aware that the contract allows users to use latent funds, although we disagree on it being an issue as no funds (ERC20 or native) should ever lay in the contract. To make sure that no value is ever kept by the diamond, we now provide refunds for outstanding user value (after bridges/swaps).
π Selected for report: hake
Also found by: 0v3rf10w, 0xDjango, 0xkatana, BouSalman, CertoraInc, Dravee, Hawkeye, IllIllI, JMukesh, Jujic, Kenshin, PPrieditis, Picodes, PranavG, Ruhum, SolidityScan, VAD37, WatchPug, aga7hokakological, catchup, csanuragjain, cthulhu_cult, defsec, dimitri, hickuphh3, hubble, hyh, kenta, kirk-baird, obront, peritoflores, rayn, robee, saian, samruna, shenwilly, shw, sorrynotsorry, tchkvsky, teryanarmen, ych18
113.5781 USDC - $113.58
The address can be set to address zero (0x00...) which could result in unexpected behavior.
Setters of address type parameters should include a zero-address validation.
#0 - H3xept
2022-04-13T09:52:00Z
Fixed in lifinance/lifi-contracts@84e7b13ad307b01d22b341a28df2d1c61c24a98f
π Selected for report: Dravee
Also found by: 0v3rf10w, 0xDjango, 0xNazgul, 0xkatana, ACai, CertoraInc, FSchmoede, Funen, Hawkeye, IllIllI, Jujic, Kenshin, PPrieditis, Picodes, SolidityScan, TerrierLover, Tomio, WatchPug, catchup, csanuragjain, defsec, dimitri, hake, hickuphh3, kenta, minhquanym, obront, peritoflores, rayn, rfa, robee, saian, samruna, tchkvsky, teryanarmen, ych18
61.5429 USDC - $61.54
The public functions that have not been called by the contract itself should be marked as external instead to save more gas and enforce the least privilege principle.
It is recommended that to change the function visibility from public to external if there is no plan to be called from the contract itself.
#0 - H3xept
2022-04-06T15:24:48Z
Fixed in previous commit.
#1 - H3xept
2022-04-08T15:08:02Z
Duplicate of #197