Platform: Code4rena
Start Date: 14/06/2022
Pot Size: $100,000 USDC
Total HM: 26
Participants: 59
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 9
Id: 133
League: ETH
Rank: 6/59
Findings: 8
Award: $4,355.88
π Selected for report: 1
π Solo Findings: 0
782.2807 CANTO - $126.34
126.3383 USDC - $126.34
In NoteRateModel, the function updateBaseRate has no access control. Therefore anyone could potentially call it and set baseRatePerYear to an incorrect value, to extract funds from borrowers or drop borrowing cost for an attack.
An attacker could set baseRatePerYear to an arbitrarily high value close to max uint, which would lead to all Notes borrowers paying extremely high interests and losing funds before the admin could react.
Add a whitelisting requirement or an admin privilege for this function.
#0 - ecmendenhall
2022-06-21T22:12:41Z
#1 - tkkwon1998
2022-06-22T18:36:06Z
Duplicate of issue #22
1467.456 USDC - $1,467.46
9086.4148 CANTO - $1,467.46
https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/ERC20.sol#L33 https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/ERC20.sol#L95
For an obscure reason as itβs not commented, _totalSupply is not initialized to 0, leading to an inaccurate total supply, which could easily break integrations, computations of market cap, etc.
If the constructor is called with _initialSupply = 1000, then 1000 tokens are minted. The total supply will be 2000.
Remove _initialSupply.
#0 - tkkwon1998
2022-06-22T18:14:22Z
The explanation is not clear. We can't seem to reproduce this issue as we can't find a scenario where the totalSupply function returns an incorrect value.
#1 - Picodes
2022-06-24T20:02:18Z
@tkkwon1998 to clarify:
Deploy the ERC20 with totalSupply_ = 1000.
Then totalSupply() returns 1000, which is incorrect.
Then if someone mints 1000 tokens, there is 1000 tokens in the market but due to _totalSupply += amount;, totalSupply = 2000 which is still incorrect
#2 - GalloDaSballo
2022-08-10T23:19:12Z
I believe the submission could have benefitted by:
However the finding is ultimately true in that, because totalSupply is a parameter passed in to the contract, and the ERC20 contract will not mint that amount, the totalSupply will end up not reflecting the total amounts of tokens minted.
For this reason, I believe the finding to be valid and High Severity to be appropriate.
I recommend the warden to err on the side of giving too much information to avoid getting their finding invalidated incorrectly
#3 - GalloDaSballo
2022-08-12T00:39:55Z
After further thinking, I still believe the finding is of high severity as the ERC20 standard is also broken, I do believe the submission could have been better developed, however, I think High is in place here
440.2368 USDC - $440.24
2725.9244 CANTO - $440.24
In Note, totalSupply could overflow, preventing the accountant to mint and work as intended.
As type(uint).max Note are minted in the accountant, totalSupply can overflow if itβs not 0 before the mint. But in the constructor, totalSupply_ could be non 0.
Remove totalSupply_ from the constructor.
#0 - GalloDaSballo
2022-08-12T01:02:57Z
Dup of #125
π Selected for report: joestakey
Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xf15ers, 0xmint, Bronicle, Dravee, Funen, JMukesh, Limbooo, MadWookie, Picodes, Ruhum, TerrierLover, TomJ, Tutturu, WatchPug, Waze, _Adam, asutorufos, c3phas, catchup, cccz, codexploder, cryptphi, csanuragjain, defsec, fatherOfBlocks, gzeon, hake, hansfriese, hyh, ignacio, k, nxrblsrpr, oyc_109, robee, sach1r0, saian, simon135, technicallyty, zzzitron
72.9199 USDC - $72.92
687.9945 CANTO - $111.11
1 low and 5 non-critical issues.
ERC20 should be flagged as abstractERC20 is clearly not to be used directly as it does not implement mint or burn. This should specified somehow, either with a clear comment or by making the contract abstract.
ProposalStore - Incorrect CommentHere, the comment is not accurate and does not make sense.
ProposalStore - Incorrect CommentHere the comment does not correspond to the Proposal struct.
ProposalStore - UniGovModAcct and OnlyUniGov are uselessWhat are UniGovModAcct and OnlyUniGov used for in this contract ? Either they could be removed, either you should add a comment explaining their purpose.
For example here, the function name begins with _ which usually means the function is internal.
Numerous contracts, like this one or this one are not commented. If you intend to make this code public, you should have a clear documentation.
Reference: https://docs.soliditylang.org/en/develop/natspec-format.html
#0 - GalloDaSballo
2022-08-02T21:03:29Z
Valid R (Interface would be good as well)
NC
Valid R (would recommend rephrasing to "unused"
R
##Β [NC - 05] - Comment the code and follow the NatSpec standard NC
3R 2 NC
π Selected for report: _Adam
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xmint, Chom, Dravee, Fitraldys, Funen, JC, Limbooo, MadWookie, Picodes, Ruhum, TerrierLover, TomJ, Tomio, Waze, ak1, c3phas, catchup, defsec, fatherOfBlocks, gzeon, hake, hansfriese, joestakey, k, oyc_109, rfa, robee, sach1r0, saian, simon135, ynnad
39.6748 USDC - $39.67
396.9199 CANTO - $64.10
https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/Note.sol#L21 https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/Note.sol#L6
accountant is public, so there is no need for a view function as you already have the getter.
This line https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/ERC20.sol#L95 is useless as if the totalSupply is 0 it means all the tokens have been burned, so transfers will revert anyway as all the balances are null. Furthermore how can totalSupply be 0 as one cannot burn more than what has been minted ?
It could therefore be removed to save gas on each transfer.
#0 - GalloDaSballo
2022-08-04T00:35:57Z
About 100 gas saved (the slot will be read anyway)