Platform: Code4rena
Start Date: 31/03/2022
Pot Size: $75,000 USDC
Total HM: 7
Participants: 42
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 5
Id: 102
League: ETH
Rank: 22/42
Findings: 2
Award: $204.69
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rayn
Also found by: 0xDjango, 0xkatana, 0xkowloon, BouSalman, CertoraInc, Dravee, Funen, Hawkeye, IllIllI, Jujic, Kenshin, Kthere, Meta0xNull, Sleepy, TerrierLover, async, aysha, berndartmueller, catchup, cccz, cmichel, csanuragjain, danb, defsec, georgypetrov, hake, hubble, kenta, kyliek, pauliax, rfa, robee, sahar, shenwilly, teryanarmen
125.7841 USDC - $125.78
Unlocked pragma enabling different solc versions i.e 0.8.0 in some and 0.8.4 in others across contracts each with their own bugs and quirks. A more recent compiler version typically results in more gas-efficient compilation and greater safety checks. Solc versions lower than 0.8.9 are typically susceptible to compiler bugs like Keccak Caching, ABI decoder bug for multi-dimensional memory arrays, signed immutables, and user-defined value types bug.
Lock the pragma and upgrade the compiler version to at least 0.8.10
In lines 47 and 61 of PCVDeposit.sol and CompoundPCVDepositBase.sol respectively, there are functions defined that lack any logic within (missing) curly braces.
https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/pcv/PCVDeposit.sol#L47 https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/pcv/compound/CompoundPCVDepositBase.sol#L61
Implement the missing logic
In line 14 of Core.sol and line 191 of CoreRef.solthe comments mention that thevoltand_volt` state variables are addresses of the Fei contract as a remnant of the Fei protocol it was forked from. This could cause confusion to anyone reading through the comments.
Rename the relevant sections in the comments appropriately.
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0xNazgul, 0xkatana, 0xkowloon, CertoraInc, Dravee, Funen, Hawkeye, Jujic, Kenshin, Meta0xNull, Sleepy, TerrierLover, catchup, csanuragjain, defsec, georgypetrov, kenta, okkothejawa, rayn, rfa, robee, saian, samruna
78.9108 USDC - $78.91
In lines 18 to 25 of CoreRef.sol, a series of addresses are assigned to state variables. Two of these are sourced via an external call rather than argument input. This is essentially reading from cold storage(2100 gas) with an external call and then writing into storage vs writing to storage directly which is cheaper.
Get rid of the external call view function calls and input the data directly.