Back to SanketKogekar's contests

Centrifuge - SanketKogekar's results

The institutional ecosystem for on-chain credit.

General Information

Platform: Code4rena

Start Date: 08/09/2023

Pot Size: $70,000 USDC

Total HM: 8

Participants: 84

Period: 6 days

Judge: gzeon

Total Solo HM: 2

Id: 285

League: ETH

Centrifuge

Findings Distribution

Researcher Performance

Rank: 81/84

Findings: 1

Award: $12.79

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCentrifuge

Findings Information

🌟 Selected for report: castle_chain

Also found by: 0xAadi, 0xHelium, 0xLook, 0xblackskull, 0xfuje, 0xmystery, 0xnev, 0xpiken, 7ashraf, BARW, Bauchibred, Bughunter101, Ch_301, JP_Courses, Kaysoft, Krace, MohammedRizwan, SanketKogekar, Sathish9098, alexzoid, ast3ros, btk, catellatech, degensec, fatherOfBlocks, grearlake, imtybik, jkoppel, jolah1, klau5, lsaudit, m_Rassska, merlin, mrudenko, nobody2018, rokinot, rvierdiiev, sandy

Awards

12.7917 USDC - $12.79

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-19

External Links

Link to GitHub issue
  1. The member view function does not return anything:
function member(address user) public view {
        require((members[user] >= block.timestamp), "RestrictionManager/destination-not-a-member");
    }

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/RestrictionManager.sol#L45-L47

  1. Missing address(0) check in contract constuctions and functions like addLiquidityPool, removeLiquidityPool, etc

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/Tranche.sol#L48-L56

  1. It is very recommended to use ECDSA lib to prevent several signature related vulnerabilities

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/ERC20.sol#L206-L207

  1. The name, symbol remains unintialized as it is never assigned a value.

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/ERC20.sol#L19-L20

  1. Self-transfers can be prevented by adding check:

to != msg.sender

and

to != from

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/ERC20.sol#L90-L129

  1. _delay is not compared with MAX_DELAY and could be set to a value even greater.

The following check is missing:

require(_delay <= MAX_DELAY, "_delay is greater than maxDelay")

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/Root.sol#L36-L37

  1. The pause() should execute only if paused == false, to prevent unnecessary emiting event, and vice-versa for unpause()

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/Root.sol#L54-L62

  1. The addIncomingRouter() should execute only if router == false, to prevent unnecessary emiting event, and vice-versa for removeIncomingRouter()

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/gateway/Gateway.sol#L137-L145

  1. The addPauser() should execute only if pausers[user] = 0, to prevent unnecessary emiting event, and vice-versa for removePauser()

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/admins/PauseAdmin.sol#L33-L42

#0 - c4-pre-sort

2023-09-17T01:29:25Z

raymondfam marked the issue as sufficient quality report

#1 - c4-judge

2023-09-26T17:44:11Z

gzeon-c4 marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter