Platform: Code4rena
Start Date: 01/07/2022
Pot Size: $75,000 USDC
Total HM: 17
Participants: 105
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 5
Id: 143
League: ETH
Rank: 19/105
Findings: 3
Award: $799.78
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xNineDec
Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xdanial, 0xf15ers, Cheeezzyyyy, Chom, Franfran, GalloDaSballo, Green, IllIllI, Meera, Ruhum, bardamu, cccz, codexploder, defsec, hake, hansfriese, horsefacts, hubble, hyh, jonatascm, kebabsec, oyc_109, pashov, rbserver, simon135, tabish, tintin, zzzitron
14.8726 USDC - $14.87
Consumers of a Chainlink price feed should always verify that the price they receive is fresh, i.e. submitted recently. Otherwise, your protocol might work with outdated price data.
In the recent incident with Luna/UST, we've seen a protocol that doesn't verify the Chainlink data resulting in them losing ~$11M: https://medium.com/@blizzfinance/blizz-finance-post-mortem-2425a33fe28b
The contract only retrieves the price and ignores all the other values:
(, int256 price, , , ) = feed.latestRoundData();
none
Verify that the data is fresh by checking the updatedAt parameter: https://docs.chain.link/docs/price-feeds-api-reference/#latestrounddata
Also, Chainlink recommends consumers be able to pause usage of a specific feed in case the feed is paused: https://docs.chain.link/docs/selecting-data-feeds/#risk-mitigation
#0 - mejango
2022-07-12T18:49:41Z
dup #138
🌟 Selected for report: horsefacts
Also found by: 0x1f8b, 0x29A, 0x52, 0xf15ers, AlleyCat, Ch_301, Chom, Franfran, IllIllI, Kaiziron, Limbooo, Meera, Ruhum, Sm4rty, apostle0x01, berndartmueller, cccz, cloudjunky, codexploder, cryptphi, delfin454000, durianSausage, fatherOfBlocks, hake, hansfriese, hyh, jonatascm, m_Rassska, oyc_109, peritoflores, rajatbeladiya, rbserver, svskaushik, zzzitron
3.4075 USDC - $3.41
Some tokens don't follow the ERC20 standard. For example, some don't revert on failure but instead just return false. With your current implementation, you won't catch these cases. Your contract will continue the transaction believing that the transfer was successful. Here's a good repo on that: https://github.com/d-xo/weird-erc20
Because of that, it's recommended to use OpenZeppelin's SafeERC20 library.
none
Use SafeERC20.
#0 - mejango
2022-07-12T18:13:23Z
sup of #281
🌟 Selected for report: berndartmueller
781.4991 USDC - $781.50
The fee calculation seems to be wrong. The formula you use is: $x - x * MaxFee / (fee + MaxFee)$. But instead you should use $x * fee / MaxFee$.
Using the default values: $x = 100,000,000,000$ $fee = 25,000,000$ $MaxFee = 100,000,000,000$ You take: instead of:
none
Use the other formula to compute the fees:
return PRBMath.mulDiv(_amount, _discountedFee, JBConstants.MAX_FEE);
#0 - mejango
2022-07-12T15:43:29Z
_amount in this case is pre-fee. So an amount of 110 with a 10% fee should result in a fee of 10. 110 - (110 * 1/ 1.1) = 10.
#1 - jack-the-pug
2022-07-24T02:01:22Z
Duplicate of #275