Platform: Code4rena
Start Date: 30/11/2021
Pot Size: $30,000 USDC
Total HM: 0
Participants: 21
Period: 3 days
Judge: pauliax
Id: 63
League: ETH
Rank: 4/21
Findings: 2
Award: $4,241.66
π Selected for report: 2
π Solo Findings: 0
π Selected for report: gzeon
Also found by: Meta0xNull, defsec
883.4673 USDC - $883.47
Meta0xNull
In FEI RARI Merger Draft: VIII. Ragequit C. Intrinsic Value (IV) is defined as Protocol Equity (PCV - User Circulating Fei) divided by the Pre-merger TRIBE Circulating Supply. The Protocol Equity number is taken from Feiβs Collaterization Oracle and updated on each ragequit such that Protocol Equity can only be lowered.
The Ragequit function ngmi() here Does Not Call requery() to Update Protocol Equity Number, minProtocolEquity.
By right requery() will Obtain Oracle Data and then Call recalculate() to Calculate token1OutBase That Used in function ngmi(). It should Be Lower and Lower Everytime Protocol Equity Number is Updated. Meaning those TRIBE Holders who are late to Ragequit will receive less FEI.
But now Some TRIBE Holders may get FEI More than they deserve and FEI Holders will be in Disadvantage because of Over Mint.
https://gfxlabs.io/docs/draft_fei_rari_merger.pdf https://github.com/code-423n4/2021-11-fei/blob/main/contracts/TRIBERagequit.sol#L59-L81 https://github.com/code-423n4/2021-11-fei/blob/main/contracts/TRIBERagequit.sol#L110-L130 https://github.com/code-423n4/2021-11-fei/blob/main/contracts/TRIBERagequit.sol#L96-L105
Manual Review
Add requery() into function ngmi() to Update minProtocolEquity and token1OutBase Everytime.
#0 - elee1766
2021-12-06T04:43:57Z
the oracle number is already cached. this is not a major issue
#1 - pauliax
2021-12-11T13:22:55Z
A duplicate of #126
π Selected for report: Meta0xNull
3272.101 USDC - $3,272.10
Meta0xNull
<code> require(minProtocolEquity > 0, "no equity"); </code> In function ngmi(), it require minProtocolEquity more than 0. But looking at Simulations, requery() is not called to Update minProtocolEquity and thus it always use default value which is 0.
requery() Can be Called by Public But Admin can't Expect All Community Members know how to Read the Contract Code and Call the Function.
Note: This is Different from Another High Risk Report. This Report is Focus On Initial Value, another Report is Focus On Ongoing Value.
https://github.com/code-423n4/2021-11-fei/blob/main/contracts/TRIBERagequit.sol#L66 https://github.com/code-423n4/2021-11-fei/blob/main/README.md#simulations https://github.com/code-423n4/2021-11-fei/blob/main/contracts/TRIBERagequit.sol#L110-L130
Manual Review
In Simulations, Add Extra Step to Call requery() to Update minProtocolEquity.
#0 - pauliax
2021-12-11T13:30:06Z
As far as I understand, this is a low severity issue. It involves simulations, not smart contracts, and it only needs one smart community member to know how to call requery(). This is a valid finding because simulations were also in scope.
π Selected for report: WatchPug
Also found by: Meta0xNull
33.1103 USDC - $33.11
Meta0xNull
Shortening revert strings to fit in 32 bytes will decrease deployment time gas and will decrease runtime gas when the revert condition has been met.
Revert strings that are longer than 32 bytes require at least one additional mstore, along with additional overhead for computing memory offset, etc.
https://github.com/code-423n4/2021-11-fei/blob/main/contracts/TRIBERagequit.sol#L207 https://github.com/code-423n4/2021-11-fei/blob/main/contracts/TRIBERagequit.sol#L219 https://github.com/code-423n4/2021-11-fei/blob/main/contracts/PegExchanger.sol#L83 https://github.com/code-423n4/2021-11-fei/blob/main/contracts/PegExchanger.sol#L92 https://github.com/code-423n4/2021-11-fei/blob/main/contracts/PegExchanger.sol#L104 https://github.com/code-423n4/2021-11-fei/blob/main/contracts/PegExchanger.sol#L112
Manual Review
Shorten the revert strings to fit in 32 bytes.
Or consider using Custom Errors (solc >=0.8.4).
#0 - elee1766
2021-12-06T04:44:53Z
#78
#1 - pauliax
2021-12-10T17:27:06Z
A duplicate of #78
π Selected for report: 0x0x0x
Also found by: Meta0xNull, WatchPug
19.8662 USDC - $19.87
Meta0xNull
The local variable used as for loop index need not be initialized to 0 because the default value is 0. Avoiding this anti-pattern can save a few opcodes and therefore a tiny bit of gas.
https://github.com/code-423n4/2021-11-fei/blob/main/contracts/TRIBERagequit.sol#L165
Manual Review
Remove explicit 0 initialization of for loop index variable.
Before: for (uint256 i = 0; After for (uint256 i;
#0 - elee1766
2021-12-06T04:45:05Z
#157
#134
#1 - pauliax
2021-12-10T17:44:17Z
A duplicate of #134
π Selected for report: Meta0xNull
Also found by: WatchPug
33.1103 USDC - $33.11
Meta0xNull
Every Computation On Chain Cost Gas.
https://github.com/code-423n4/2021-11-fei/blob/main/contracts/PegExchanger.sol#L17 https://github.com/code-423n4/2021-11-fei/blob/main/contracts/PegExchanger.sol#L107
Manual Review
Before: uint256 public constant MIN_EXPIRY_WINDOW = 6400 * 365;
After: uint256 public constant MIN_EXPIRY_WINDOW = 2336000;
#0 - elee1766
2021-12-06T03:38:31Z
ack
no change
#1 - pauliax
2021-12-11T10:49:22Z
Valid suggestion, even though the sponsor decided not to implement the changes.