Platform: Code4rena
Start Date: 02/08/2022
Pot Size: $50,000 USDC
Total HM: 12
Participants: 69
Period: 5 days
Judge: gzeon
Total Solo HM: 5
Id: 150
League: ETH
Rank: 51/69
Findings: 1
Award: $67.73
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xc0ffEE, 8olidity, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, Funen, JC, JohnSmith, NoamYakov, ReyAdmirado, Rohan16, Rolezn, Sm4rty, SooYa, TomFrenchBlockchain, TomJ, Waze, __141345__, ajtra, ak1, aysha, bin2chen, bobirichman, brgltd, bulej93, c3phas, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, horsefacts, hyh, ladboy233, mics, natzuu, nxrblsrpr, oyc_109, rbserver, samruna, sikorico, simon135, tofunmi, wagmi
67.7324 USDC - $67.73
If the intention is for the Ether to be used, the function should call another function, otherwise it should revert (e.g. require(msg.sender == address(weth)))
There are 1 instances of this issue: //Links to github files https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxy.sol#L38
//actual codes used contracts/proxy/MIMOProxy.sol:38: receive() external payable {}
Use a solidity version of at least 0.8.13 to get the ability to use using for with a list of free functions
There are instances of this issue:
//Links to github files https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxyFactory.sol#L13 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOLeverage.sol#L15 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMORebalance.sol#L15 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOFlashloan.sol#L16 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOVaultActions.sol#L17 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/managed/MIMOManagedAction.sol#L10 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/managed/MIMOManagedRebalance.sol#L17 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/managed/MIMOManagedRebalance.sol#L18 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOSwap.sol#L17 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOEmptyVault.sol#L15 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/automated/MIMOAutoRebalance.sol#L24 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/automated/MIMOAutoRebalance.sol#L25 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/automated/MIMOAutoAction.sol#L10
//actual codes used contracts/proxy/MIMOProxyFactory.sol:13: using Clones for address; contracts/actions/MIMOLeverage.sol:15: using SafeERC20 for IERC20; contracts/actions/MIMORebalance.sol:15: using SafeERC20 for IERC20; contracts/actions/MIMOFlashloan.sol:16: using SafeERC20 for IERC20; contracts/actions/MIMOVaultActions.sol:17: using SafeERC20 for IERC20; contracts/actions/managed/MIMOManagedAction.sol:10: using WadRayMath for uint256; contracts/actions/managed/MIMOManagedRebalance.sol:17: using SafeERC20 for IERC20; contracts/actions/managed/MIMOManagedRebalance.sol:18: using WadRayMath for uint256; contracts/actions/MIMOSwap.sol:17: using SafeERC20 for IERC20; contracts/actions/MIMOEmptyVault.sol:15: using SafeERC20 for IERC20; contracts/actions/automated/MIMOAutoRebalance.sol:24: using SafeERC20 for IERC20; contracts/actions/automated/MIMOAutoRebalance.sol:25: using WadRayMath for uint256; contracts/actions/automated/MIMOAutoAction.sol:10: using WadRayMath for uint256;
The attacker can initialize the contract, take malicious actions, and allow it to be re-initialized by the project without any error being noticed.
// Links to github files contracts/proxy/interfaces/IMIMOProxy.sol:17
//actual codes used contracts/proxy/interfaces/IMIMOProxy.sol:17: function initialize() external;
Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
//Links to github files https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/interfaces/IMIMOProxy.sol https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/interfaces/IMIMOProxyRegistry.sol https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxyRegistry.sol https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxy.sol https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxyFactory.sol https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/interfaces/IMIMOProxyFactory.sol
//actual codes used contracts/proxy/MIMOProxyFactory.sol:2:pragma solidity >=0.8.4; contracts/proxy/MIMOProxy.sol:2:pragma solidity >=0.8.4; contracts/proxy/MIMOProxyRegistry.sol:2:pragma solidity >=0.8.4; contracts/proxy/interfaces/IMIMOProxyFactory.sol:2:pragma solidity ^0.8.4; contracts/proxy/interfaces/IMIMOProxyRegistry.sol:2:pragma solidity ^0.8.4; contracts/proxy/interfaces/IMIMOProxy.sol:2:pragma solidity ^0.8.4;
Each event should use three indexed fields if there are three or more fields
There are 2 instances //Links to githubfile https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/interfaces/IMIMOProxyFactory.sol#L11 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/interfaces/IMIMOProxy.sol#L9
contracts/proxy/interfaces/IMIMOProxyFactory.sol:11: event DeployProxy(address indexed deployer, address indexed owner, address proxy); contracts/proxy/interfaces/IMIMOProxy.sol:9: event Execute(address indexed target, bytes data, bytes response);