Platform: Code4rena
Start Date: 24/03/2023
Pot Size: $49,200 USDC
Total HM: 20
Participants: 246
Period: 6 days
Judge: Picodes
Total Solo HM: 1
Id: 226
League: ETH
Rank: 114/246
Findings: 2
Award: $30.81
š Selected for report: 0
š Solo Findings: 0
š Selected for report: RaymondFam
Also found by: 7siech, LeoGold, Phantasmagoria, SunSec, adeolu, anodaram, aviggiano, chaduke, d3e4, eyexploit, jasonxiale, juancito, koxuan, mojito_auditor, n33k, neumo, rotcivegaf, yac
17.681 USDC - $17.68
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L149 https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L88
staking by users and rebalacingToWeight by Owner get some funds locked in the safEth.sol and this funds can increase to significant amount as the protocol grows by having more users to stake, rebalancing. the more derivatives is added, the more there is reminder in the amount staked at the point of calculating each amount for drivativesuint256 ethAmount = (msg.value * weight) / totalWeight;
Add the the following code to the test case that test stake and test rebalance: console.log( "ether balance after stake", await ethers.provider.getBalance(strategyContractAddress) );
this above console will output the ether in the safEth.sol and it will increase as more users stake and more rebalancing is done.
the output of the current test for the affected test functions is below:
`balance after stake BigNumber { value: "96" } ā Should stake a random amount 3 times for each user` ` ether balance after rebalance BigNumber { value: "97" } ā Should change weights and rebalance `
run yarn test after adding the console.log syntax to get the log of the ether balance in the SafEth.sol
The recommended step to take in order not to leave a dust of ether in the contract is to allow users stake amount that is divisible by the total number of derivatives added, doing this would not stuck any funds in the safeth contracts.
#0 - rotcivegaf
2023-03-31T01:21:34Z
Low
#1 - c4-pre-sort
2023-04-02T12:29:01Z
0xSorryNotSorry marked the issue as low quality report
#2 - c4-pre-sort
2023-04-04T16:26:34Z
0xSorryNotSorry marked the issue as duplicate of #455
#3 - c4-judge
2023-04-24T20:54:44Z
Picodes marked the issue as satisfactory
š Selected for report: brgltd
Also found by: 0x3b, 0xAgro, 0xGusMcCrae, 0xNorman, 0xRajkumar, 0xSmartContract, 0xTraub, 0xWagmi, 0xWaitress, 0xffchain, 0xhacksmithh, 0xkazim, 0xnev, 3dgeville, ArbitraryExecution, Aymen0909, BRONZEDISC, Bason, Bloqarl, BlueAlder, Brenzee, CodeFoxInc, CodingNameKiki, Cryptor, DadeKuma, DevABDee, Diana, Dug, Englave, Gde, Haipls, HollaDieWaldfee, Ignite, Infect3d, Jerry0x, Josiah, Kaysoft, Koko1912, KrisApostolov, Lavishq, LeoGold, Madalad, PNS, Rappie, RaymondFam, RedTiger, Rickard, Rolezn, Sathish9098, SunSec, T1MOH, UdarTeam, Udsen, Viktor_Cortess, Wander, adriro, ak1, alejandrocovrr, alexzoid, arialblack14, ayden, bin2chen, brevis, btk, c3phas, carlitox477, catellatech, ch0bu, chaduke, ck, climber2002, codeslide, descharre, dingo2077, ernestognw, fatherOfBlocks, favelanky, georgits, helios, hl_, inmarelibero, juancito, ks__xxxxx, lopotras, lukris02, m_Rassska, mahdirostami, maxper, nadin, navinavu, nemveer, p_crypt0, peanuts, pipoca, pixpi, qpzm, rbserver, reassor, roelio, rotcivegaf, scokaf, siddhpurakaran, slvDev, smaul, tnevler, tsvetanovv, turvy_fuzz, vagrant, wen, yac, zzzitron
13.1298 USDC - $13.13
Function adjustWeight() in the safEth.sol make changes to totalWeight stateVariable and did not emit the current state, as best practice, it is adviceable to emit changes made to state for ofchain usage.
It is recommended to add the new totalWeight to the event emmited in adjustWeight() for example:
event WeightChange(uint indexed index, uint weight);
should be replaced with
event WeightChange(uint indexed index, uint indexed weight, uint indexed _NewtotalWeight);
In a case where the owner of the safEth.sol contract intend to change the owner to an another user, there is possibility that if a wrong address is passed to transferOwnnership, the control of the SafEth.sol lose total control of the wrong address and there is no way to get the control back if the address cannot be traced to a known person.
##Re commendation. it is Adviceable to implement the Ownable2StepUpgradeable.sol from openzeppeline to give room for the new owner to accept the ownership before control is being transferred check here for details of the 2 step verification of transfer ownership.
For security, it is best practice to use the latest Solidity version. For the security fix list in the versions;
Old version of Solidity is used (0.8.13), newer version can be used (0.8.19).
Pragma statements can be allowed to float when a contract is intended for consumption by other developers, as in the case with contracts in a library or EthPM package. Otherwise, the developer would need to manually update the pragma in order to compile locally. swc-103
Ethereum Smart Contract Best Practices - Lock pragmas to specific compiler version. smart contract best practice.
setMaxAmount() and setMinAmount can be set to conflict eachother.Owner can set minAmount that conflict with maximum Amount.
it best to confirm the parameter set by Owner to check that setMaxAmount arguement is not less than the minimum amount set and the parameter set for setMinAmount is not greater than maxAmount set.
inconsistency with the unstake() function, users are unpredictable and can try to withdraw as low as 1wei, 2 wei etc and for a very little amount, it shows that while you caan call the unstake function successfully with passing 0, 1, 2 and 3 as value, user SafEth reduced in value but received 0 ethers in return for the amount deducted in safEth. And also passing 5 and 6 as a value in unstake function get reverted at the the point of exchanging on lido protocol calling the exchange function. (this was written in vyper).
it is recommended to add minmum amount that can be unstake to correct the inconsistency happening with the unstake functions.
#0 - elmutt
2023-04-07T23:04:39Z
duplicate issues but valid
#1 - c4-sponsor
2023-04-07T23:04:44Z
elmutt marked the issue as sponsor confirmed
#2 - c4-judge
2023-04-24T19:03:19Z
Picodes marked the issue as grade-b