Back to Sm4rty's contests

Mimo August 2022 contest - Sm4rty's results

Bridging the chasm between the DeFi world and the world of regulated financial institutions.

General Information

Platform: Code4rena

Start Date: 02/08/2022

Pot Size: $50,000 USDC

Total HM: 12

Participants: 69

Period: 5 days

Judge: gzeon

Total Solo HM: 5

Id: 150

League: ETH

Mimo DeFi

Findings Distribution

Researcher Performance

Rank: 50/69

Findings: 1

Award: $69.66

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMimo DeFi

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xc0ffEE, 8olidity, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, Funen, JC, JohnSmith, NoamYakov, ReyAdmirado, Rohan16, Rolezn, Sm4rty, SooYa, TomFrenchBlockchain, TomJ, Waze, __141345__, ajtra, ak1, aysha, bin2chen, bobirichman, brgltd, bulej93, c3phas, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, horsefacts, hyh, ladboy233, mics, natzuu, nxrblsrpr, oyc_109, rbserver, samruna, sikorico, simon135, tofunmi, wagmi

Awards

69.6581 USDC - $69.66

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

1. Avoid use of floating pragma

Impact

Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.

Instances

contracts/proxy/MIMOProxyFactory.sol contracts/proxy/MIMOProxy.sol contracts/proxy/MIMOProxyRegistry.sol contracts/proxy/interfaces/IMIMOProxyFactory.sol contracts/proxy/interfaces/IMIMOProxyRegistry.sol contracts/proxy/interfaces/IMIMOProxy.sol

contracts/proxy/MIMOProxyFactory.sol:2:pragma solidity >=0.8.4;
contracts/proxy/MIMOProxy.sol:2:pragma solidity >=0.8.4;
contracts/proxy/MIMOProxyRegistry.sol:2:pragma solidity >=0.8.4;
contracts/proxy/interfaces/IMIMOProxyFactory.sol:2:pragma solidity ^0.8.4;
contracts/proxy/interfaces/IMIMOProxyRegistry.sol:2:pragma solidity ^0.8.4;
contracts/proxy/interfaces/IMIMOProxy.sol:2:pragma solidity ^0.8.4;

use fixed solidity version

2. USE A MORE RECENT VERSION OF SOLIDITY

Use a solidity version of at least 0.8.13 to get the ability to use using for with a list of free functions

Instances:

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxyFactory.sol#L13

contracts/proxy/MIMOProxyFactory.sol:13:  using Clones for address;

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOLeverage.sol#L15

contracts/actions/MIMOLeverage.sol:15:  using SafeERC20 for IERC20;

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMORebalance.sol

contracts/actions/automated/MIMOAutoRebalance.sol:24:  using SafeERC20 for IERC20;
contracts/actions/automated/MIMOAutoRebalance.sol:25:  using WadRayMath for uint256;

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOFlashloan.sol#L16

contracts/actions/MIMOFlashloan.sol:16:  using SafeERC20 for IERC20;

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOVaultActions.sol#L17

contracts/actions/MIMOVaultActions.sol:17:  using SafeERC20 for IERC20;

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/managed/MIMOManagedAction.sol#L10

contracts/actions/managed/MIMOManagedAction.sol:10:  using WadRayMath for uint256;

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/managed/MIMOManagedRebalance.sol

contracts/actions/managed/MIMOManagedRebalance.sol:17:  using SafeERC20 for IERC20;
contracts/actions/managed/MIMOManagedRebalance.sol:18:  using WadRayMath for uint256;

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOSwap.sol#L17

contracts/actions/MIMOSwap.sol:17:  using SafeERC20 for IERC20;

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOEmptyVault.sol#L15

contracts/actions/MIMOEmptyVault.sol:15:  using SafeERC20 for IERC20;

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/automated/MIMOAutoRebalance.sol#L25

contracts/actions/MIMORebalance.sol:15:  using SafeERC20 for IERC20;

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/automated/MIMOAutoAction.sol#L10

contracts/actions/automated/MIMOAutoAction.sol:10:  using WadRayMath for uint256;

References:

https://code4rena.com/reports/2022-05-sturdy/#n-06-use-a-more-recent-version-of-solidity

3. Multiple initialization due to initialize function not having initializer modifier.

Description

The attacker can initialize the contract, take malicious actions, and allow it to be re-initialized by the project without any error being noticed.

Instances

contracts/proxy/interfaces/IMIMOProxy.sol:17 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/interfaces/IMIMOProxy.sol#L17

contracts/proxy/interfaces/IMIMOProxy.sol:17:  function initialize() external;

4. EVENT IS MISSING INDEXED FIELDS

Each event should use three indexed fields if there are three or more fields

There are 2 instances: contracts/proxy/interfaces/IMIMOProxy.sol:9 contracts/proxy/interfaces/IMIMOProxyFactory.sol:11

contracts/proxy/interfaces/IMIMOProxy.sol:9:  event Execute(address indexed target, bytes data, bytes response);
contracts/proxy/interfaces/IMIMOProxyFactory.sol:11:  event DeployProxy(address indexed deployer, address indexed owner, address proxy);

5. Unused/Empty receive()/fallback function

If the intention is for the Ether to be used, the function should call another function, otherwise it should revert (e.g. require(msg.sender == address(weth)))

There are 1 instances of this issue: contracts/proxy/MIMOProxy.sol:38

contracts/proxy/MIMOProxy.sol:38:  receive() external payable {}
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter