MaratCerby - Mimo DeFi contest

Findings Information

🌟 Selected for report: ych18

Also found by: MaratCerby, defsec, robee

Labels

bug

duplicate

2 (Med Risk)

Awards

755.6243 USDC - $755.62

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/v2/PARMinerV2.sol#L125

Vulnerability details

Impact

ERC20 standard allows approve function of some contracts to return bool or return nothing. Using safeApprove of SafeERC20.sol is recommended instead.

Proof of Concept

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/4a9cc8b4918ef3736229a5cc5a310bdc17bf759f/contracts/token/ERC20/utils/SafeERC20.sol

Tools Used

Recommended Mitigation Steps

collateralToken.safeApprove(proxy, collateralToken.balanceOf(address(this)));

#0 - m19
2022-05-10T07:30:59Z

Duplicate of #124

#1 - gzeoneth
2022-06-05T15:19:06Z

Duplicate of https://github.com/code-423n4/2022-04-mimo-findings/issues/127

Findings Information

🌟 Selected for report: Dravee

Also found by: 0x1f8b, 0x4non, 0x52, 0xDjango, AlleyCat, Funen, GalloDaSballo, GimelSec, Hawkeye, MaratCerby, Picodes, berndartmueller, cccz, defsec, delfin454000, dipp, hyh, ilan, joestakey, kebabsec, luduvigo, pauliax, peritoflores, robee, rotcivegaf, samruna, shenwilly, sikorico, simon135, sorrynotsorry, unforgiven, z3s

Awards

89.0354 USDC - $89.04

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

Impact

It is recommended to explicityly specify uint256 type instead of uint type for better readability. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/contracts/SuperVault.sol#L30

Proof of Concept

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 dexIndex;

Impact

uint256 is assigned to zero by default, additional reassignment to zero is unnecessary Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/inception/InceptionVaultsCore.sol#L218

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/control-structures.html#default-value

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 insuranceAmount;

Impact

uint256 is assigned to zero by default, additional reassignment to zero is unnecessary Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/libraries/ABDKMath64x64.sol#L387

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/control-structures.html#default-value

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 resultShift;

Impact

int256 is assigned to zero by default, additional reassignment to zero is unnecessary Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/libraries/ABDKMath64x64.sol#L437

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/control-structures.html#default-value

Tools Used

Recommended Mitigation Steps

Recommended code: int256 msb;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/inception/InceptionVaultsCore.sol#L23

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 constant _MAX_INT = 2**256 - 1;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L33

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: IERC20 immutable _par;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L34

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: IGovernanceAddressProvider immutable _a;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L36

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: BoostConfig _boostConfig;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L38

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: mapping(address => UserInfo) _users;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L40

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _totalStake;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L41

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _totalStakeWithBoost;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L43

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _mimoBalanceTracker;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L44

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _accMimoAmountPerShare;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L46

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _parBalanceTracker;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/GenericMinerV2.sol#L47

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _accParAmountPerShare;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L22

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: IERC20 _par;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L23

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: IGovernanceAddressProvider _a;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L24

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: IDexAddressProvider immutable _dexAP;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L26

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: BoostConfig _boostConfig;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L28

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: mapping(address => UserInfo) _users;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L30

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _totalStake;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L31

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _totalStakeWithBoost;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L32

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _liquidateCallerReward;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L34

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _mimoBalanceTracker;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L35

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _accMimoAmountPerShare;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L37

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _parBalanceTracker;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/contracts/liquidityMining/v2/PARMinerV2.sol#L38

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 _accParAmountPerShare;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L50

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: MockERC20 _wbtc;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L51

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: MockERC20 _usdc;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L52

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: MockERC20 _link;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L53

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: MockWETH _weth;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L54

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: MockMIMO _mimo;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L55

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: PAR _par;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L56

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: MockInceptionAggregator _wbtcAggregator;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L57

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: MockInceptionAggregator _wethAggregator;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L58

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: MockInceptionAggregator _usdcAggregator;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L59

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: MockInceptionAggregator _eurUsdAggregator;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L60

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: MockInceptionAggregator _linkAggregator;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L62

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: AccessController _accessController;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L63

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: AddressProvider _addressProvider;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L64

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: ConfigProvider _configProvider;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L65

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: PriceFeed _priceFeed;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L66

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: RatesManager _ratesManager;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L67

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: LiquidationManager _liquidationManager;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L68

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: FeeDistributor _feeDistributor;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L69

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: VaultsDataProvider _vaultsDataProvider;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L70

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: VaultsCoreState _vaultsCoreState;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L71

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: VaultsCore _vaultsCore;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L72

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: GovernanceAddressProvider _governanceAddressProvider;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L73

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: DebtNotifier _debtNotifier;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L74

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: SupplyMiner _wbtcSupplyMiner;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L75

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: SupplyMiner _wethSupplyMiner;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L76

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: SupplyMiner _usdcSupplyMiner;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L77

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: InceptionVaultFactory _inceptionVaultFactory;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L78

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: AdminInceptionVault _baseAdminInceptionVault;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L79

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: InceptionVaultsCore _baseInceptionVaultsCore;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L80

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: InceptionVaultsDataProvider _baseInceptionVaultsDataProvider;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L81

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: ChainlinkInceptionPriceFeed _baseChainlinkInceptionPriceFeed;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L83

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 constant _MAX_INT = 2**256 - 1;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/core/echidna/TIVSetup.sol#L84

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: address _echidna_caller = 0x00a329c0648769A73afAc7F9381E08FB43dBEA72;

Impact

By default state variables/constants are internal. Internal keyword can be omitted. Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/contracts/SuperVault.sol#L36

Proof of Concept

https://docs.soliditylang.org/en/v0.8.12/types.html#:~:text=to%20be%20omitted.-,By,-default%2C%20function%20types

Tools Used

Recommended Mitigation Steps

Recommended code: IDexAddressProvider _dexAP;

Impact

Transfer from sender to contract and from contract to inception vault could be replaced in a single transfer. Affected code: https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/InceptionVaultsCore.sol#L234-L235

Proof of Concept

Tools Used

Recommended Mitigation Steps

Recommended code: stablex.safeTransferFrom(msg.sender, address(_adminInceptionVault), _amount);

#0 - gzeoneth
2022-06-05T16:37:41Z

Warden spammed > 20 submission with very similar finding and multiple QA report. A penalty is applied to the score of this report.

Findings Information

🌟 Selected for report: Dravee

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xkatana, Funen, GimelSec, MaratCerby, Picodes, Tadashi, Tomio, defsec, delfin454000, joestakey, kebabsec, oyc_109, pauliax, robee, rotcivegaf, samruna, slywaters, sorrynotsorry, ych18, z3s

Awards

59.0559 USDC - $59.06

Labels

bug

G (Gas Optimization)

External Links

Link to GitHub issue

Impact

There is a global constant type(uint256).max which saves 10 gas comparing to using 2**256 - 1 Affected code: https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/InceptionVaultsCore.sol#L23

Proof of Concept

Tools Used

Recommended Mitigation Steps

Recommended code: uint256 internal constant _MAX_INT = type(uint256).max;

Impact

There is a global constant type(uint256).max which saves 10 gas comparing to using 2**256 - 1 Affected code: https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L326

Proof of Concept

Tools Used

Recommended Mitigation Steps

Recommended code: token.approve(address(a.core()), type(uint256).max);

Impact

It is recommended to tightly pack structs in order to save gas on SSTORE/SREAD operations. Affected code: https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/interfaces/IInceptionVaultsDataProvider.sol#L9-L14

Proof of Concept

Tools Used

Recommended Mitigation Steps

Recommended code: struct InceptionVault { address owner; // uses 20 bytes uint96 createdAt; // uses 12 bytes, combining with above uses one 32 bytes slot uint256 collateralBalance; uint256 baseDebt; }

Impact

It is recommended to tightly pack structs in order to save gas on SSTORE/SREAD operations. Affected code: https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/v2/interfaces/IDemandMinerV2.sol#L17-L20

Proof of Concept

Tools Used

Recommended Mitigation Steps

Recommended code: struct FeeConfig { uint128 depositFee; // 16 bytes uint128 withdrawFee; // 16 bytes, combining with above uses one 32 bytes slot }

Impact

It is recommended to tightly pack structs in order to save gas on SSTORE/SREAD operations. Affected code: https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/v2/interfaces/IGenericMinerV2.sol#L11-L16

Proof of Concept

Tools Used

Recommended Mitigation Steps

Recommended code: struct UserInfo { uint256 stake; uint256 stakeWithBoost; uint128 accAmountPerShare; // 16 bytes uint128 accParAmountPerShare; // 16 bytes, combining with above uses one 32 bytes slot }

Impact

As per 0.8.4 solidity version it supports new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/contracts/SuperVault.sol#L39

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended Mitigation Steps

Recommended code: error SV001_RequiresAdminRole(); .. if(!(hasRole(DEFAULT_ADMIN_ROLE, msg.sender))) { revert SV001_RequiresAdminRole(); }

Impact

As per 0.8.4 solidity version it supports new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/contracts/SuperVault.sol#L83

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended Mitigation Steps

Recommended code: error Error_SV002(); .. if(msg.sender != address(lendingPool)) { revert Error_SV002(); }

Impact

As per 0.8.4 solidity version it supports new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/contracts/SuperVault.sol#L109

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended Mitigation Steps

Recommended code: error Error_SV101(); .. if(token.balanceOf(address(this)) < flashloanRepayAmount) { revert Error_SV101(); }

Impact

As per 0.8.4 solidity version it supports new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/contracts/SuperVault.sol#L156

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended Mitigation Steps

Recommended code: error Error_SV101(); .. if(fromCollateral.balanceOf(address(this)) < flashloanRepayAmount) { revert Error_SV101(); }

Impact

As per 0.8.4 solidity version it supports new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/contracts/SuperVault.sol#L207

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended Mitigation Steps

Recommended code: error Error_SV101(); .. if(vaultCollateral.balanceOf(address(this)) < flashloanRepayAmount) { revert Error_SV101(); }

Impact

As per 0.8.4 solidity version it supports new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-04-mimo/tree/main/supervaults/contracts/SuperVault.sol#L344

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended Mitigation Steps

Recommended code: error Error_SV201(); .. if(!(proxy != address(0) && router != address(0))) { revert Error_SV201(); }

Mimo DeFi contest - MaratCerby's results

Bridging the chasm between the DeFi world and the world of regulated financial institutions.

General Information

Findings Distribution

Researcher Performance

External Links

[M-04] safeApprove is recommended instead of approve - $755.62

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - m192022-05-10T07:30:59Z

#1 - gzeoneth2022-06-05T15:19:06Z

[Q-28] QA Report - $89.04

Findings Information

Awards

Labels

External Links

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - m19
2022-05-10T07:30:59Z

#1 - gzeoneth
2022-06-05T15:19:06Z