Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 22/101
Findings: 1
Award: $34.50
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
34.5035 USDC - $34.50
The comment should be rewritten as:
/// Should set the user's claim amount in the claims mapping for the provided cToken
The comment should be rewritten as:
// We give the interactions (the safeTransferFroms) their own for loop, just to be safe
https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L170 https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L202
Just as it has been done for _multiRedeem(), the following zero address check for _cToken should be inserted as the first require statement for _claim() before line 170 and _redeem() before line 202 just in case of user's input error when writing directly at etherscan instead of interacting from the UI:
require(_cToken != address(0), "Invalid cToken address");
https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L217-L218 https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L249-L250
A cToken exchange rate could be as small as 1e10 +1 according to line 130 inside _configureExchangeRates(). When dealing with very small amount of cToken at very low exchange rate, this could possibly render a zero returned value from `previewRedeem()' since the numerator would be smaller than 1e18. Similarly, contract balance of baseToken could run lower than baseTokenAmountReceived. As such, the following require statement should be inserted prior to doing the token transfers:
require(baseTokenAmountReceived != 0 && baseTokenAmountReceived < IERC20(baseToken).balanceOf(address(this)), "Zero and/or insufficient base token payout!");
Instead of inheriting ERC20Dripper and overriding drip(), consider implementing Chainlink keeper that would auto-fund RariMerkleRedeemer when the FEI balance dropped below a preset level.
https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/peg/SimpleFeiDaiPSM.sol#L56
A DAi balance should be checked before line 56 such that:
require(amountOut < balance(), "Insufficient DAI");
Addresses in events Redeem and Mint should be indexed for ease of filtered access. Where possible, consider maximizing the use of three indices in an event.