Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 63/101
Findings: 1
Award: $33.58
๐ Selected for report: 0
๐ Solo Findings: 0
๐ Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
33.5761 USDC - $33.58
Severity: Non-Critical
pragma solidity ^0.8.4;
https://github.com/code-423n4/2022-09-tribe/tree/main/contracts/peg/SimpleFeiDaiPSM.sol#L2
pragma solidity ^0.8.4;
https://github.com/code-423n4/2022-09-tribe/tree/main/contracts/shutdown/redeem/TribeRedeemer.sol#L2
Avoid the usage of floating pragmas, the version should be locked.
Severity: Non-Critical
Each event should use three indexed fields if there are three or more fields.
event Redeem(address to, uint256 amountFeiIn, uint256 amountAssetOut);
https://github.com/code-423n4/2022-09-tribe/tree/main/contracts/peg/SimpleFeiDaiPSM.sol#L27
event Mint(address to, uint256 amountIn, uint256 amountFeiOut);
https://github.com/code-423n4/2022-09-tribe/tree/main/contracts/peg/SimpleFeiDaiPSM.sol#L29
Add indexed fields for events.
OpenZeppelin recommends that the initializer modifier be applied to constructors. Per OZs Post implementation contract should be initialized to avoid potential griefs or exploits. https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680/5
Severity: Non-Critical
constructor( address _core, address _target, uint256 _dripPeriod, uint256 _amountToDrip, address _token ) ERC20Dripper(_core, _target, _dripPeriod, _amountToDrip, _token) {}
constructor( address token, address[] memory cTokens, uint256[] memory rates, bytes32[] memory roots ) { _configureExchangeRates(cTokens, rates); _configureMerkleRoots(cTokens, roots); _configureBaseToken(token); }
constructor( address _redeemedToken, address[] memory _tokensReceived, uint256 _redeemBase ) { redeemedToken = _redeemedToken; tokensReceived = _tokensReceived; redeemBase = _redeemBase; }
Add initializer modifier in the constructor per OpenZeppelin's recommendation.
Severity: Non-Critical
Use a solidity version of at least 0.8.12 to get string.concat() instead of abi.encodePacked(<str>,<str>) Use a solidity version of at least 0.8.13 to get the ability to use using for with a list of free functions
Found old version 0.8.4 of Solidity SimpleFeiDaiPSM.sol
https://github.com/code-423n4/2022-09-tribe/tree/main/contracts/peg/SimpleFeiDaiPSM.sol#L2
Found old version 0.8.10 of Solidity in MerkleRedeemerDripper.sol
Found old version 0.8.10 of Solidity in RariMerkleRedeemer.sol
Found old version 0.8.4 of Solidity in TribeRedeemer.sol
https://github.com/code-423n4/2022-09-tribe/tree/main/contracts/shutdown/redeem/TribeRedeemer.sol#L2
Consider updating to a more recent solidity version.
Severity: Non-Critical
Contracts are allowed to override their parentsโ functions and change the visibility from external to public.
function drip() public override {
Update function drip from public to external.