Back to Tadashi's contests

Aura Finance contest - Tadashi's results

Providing optimal incentives for VotingEscrow systems.

General Information

Platform: Code4rena

Start Date: 11/05/2022

Pot Size: $150,000 USDC

Total HM: 23

Participants: 93

Period: 14 days

Judge: LSDan

Total Solo HM: 18

Id: 123

League: ETH

Aura Finance

Findings Distribution

Researcher Performance

Rank: 49/93

Findings: 2

Award: $233.28

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAura Finance

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 242, AlleyCat, BouSalman, BowTiedWardens, CertoraInc, Chom, Cityscape, FSchmoede, Funen, GimelSec, Hawkeye, JC, JDeryl, Kaiziron, Kthere, Kumpa, MaratCerby, MiloTruck, Nethermind, NoamYakov, PPrieditis, QuantumBrief, Rolezn, Ruhum, SmartSek, SooYa, Tadashi, TerrierLover, WatchPug, Waze, _Adam, asutorufos, berndartmueller, bobirichman, c3phas, catchup, cccz, ch13fd357r0y3r, cryptphi, csanuragjain, cthulhu_cult, defsec, delfin454000, ellahi, fatherOfBlocks, hansfriese, hubble, hyh, jayjonah8, joestakey, kenta, kenzo, kirk-baird, mics, oyc_109, p_crypt0, reassor, robee, sach1r0, samruna, sashik_eth, sikorico, simon135, sorrynotsorry, sseefried, tintin, unforgiven, z3s, zmj

Awards

150.0334 USDC - $150.03

Labels

bug
duplicate
QA (Quality Assurance)

External Links

Link to GitHub issue

Missing inheritances

Details: Decoupling an interface from its implementation can cause technical drift and also unease 3rd party integrations with the code.

Slither detected the following missing inheritances:

  • AuraBalRewardPool (contracts/AuraBalRewardPool.sol:23-221) should inherit from IRewardStaking (contracts/AuraLocker.sol#12-14)
  • CrvDepositorWrapper (contracts/CrvDepositorWrapper.sol:104-142) should inherit from ICrvDepositor (contracts/AuraStakingProxy.sol#10-19)
  • DepositToken (convex-platform/contracts/contracts/DepositToken.sol:17-59) should inherit from ITokenMinter (convex-platform/contracts/contracts/Interfaces.sol#91-94)
  • ExtraRewardStashV3 (convex-platform/contracts/contracts/ExtraRewardStashV3.sol:25-222) should inherit from IStash (convex-platform/contracts/contracts/Interfaces.sol#78-83)
  • RewardHook (convex-platform/contracts/contracts/RewardHook.sol:18-51) should inherit from IRewardHook (convex-platform/contracts/contracts/interfaces/IRewardHook.sol#5-8)
  • StashFactoryV2 (convex-platform/contracts/contracts/StashFactoryV2.sol:16-104) should inherit from IStashFactory (convex-platform/contracts/contracts/Interfaces.sol#124-126)
  • TokenFactory (convex-platform/contracts/contracts/TokenFactory.sol:17-48) should inherit from ITokenFactory (convex-platform/contracts/contracts/Interfaces.sol#128-130)
  • cvxCrvToken (convex-platform/contracts/contracts/cCrv.sol:17-61) should inherit from ITokenMinter (convex-platform/contracts/contracts/Interfaces.sol#91-94)

Impact: Code QA

Missing event for critical operations

Details: Consider emitting an event for these critical parameter changes ****for off-chain monitoring:

  • setOwner in PoolManagerProxy.sol (L43)
  • setOperator in PoolManagerProxy.sol (L48)
  • setOwner in PoolManagerSecondaryProxy.sol (L58)
  • setOperator in PoolManagerSecondaryProxy.sol (L63)

Impact: Low risk

Name of contract is different from contract file name

Details: ArbitartorVault.sol should be ArbitratorVault.sol

Impact: Informational

Typos

  • ammount should be amount in L117 of CrvDepositor.sol

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, BowTiedWardens, CertoraInc, DavidGialdi, FSchmoede, Fitraldys, Funen, GimelSec, Hawkeye, JC, Kaiziron, Kthere, MaratCerby, MiloTruck, NoamYakov, QuantumBrief, Randyyy, Ruhum, SmartSek, SooYa, Tadashi, TerrierLover, Tomio, UnusualTurtle, WatchPug, Waze, _Adam, antonttc, asutorufos, bobirichman, c3phas, catchup, csanuragjain, cthulhu_cult, defsec, delfin454000, ellahi, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, kenta, marcopaladin, mics, minhquanym, orion, oyc_109, reassor, rfa, robee, sach1r0, samruna, sashik_eth, sikorico, simon135, unforgiven, z3s, zmj

Awards

83.2512 USDC - $83.25

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Redundant check can be removed

Details: The check on L75 of CrvDepositor.sol can be simplified to

if(_lockIncentive <= 30){

since _lockIncentive is an uint256 and hence always greater or equal to 0.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter