Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 37/101
Findings: 1
Award: $33.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
33.5953 USDC - $33.60
I recommend adding check of 0-address for input validation of critical address parameters. Not doing so might lead to non-functional contract and have to redeploy the contract, when it is updated to 0-address accidentally.
Total of 4 instances found.
cTokens addresses of constructor() of RariMerkleRedeemer.sol https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L41-42 https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L124-L135 https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L137-L145
_core address of constructor() of MerkleRedeemerDripper.sol https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/fuse/MerkleRedeemerDripper.sol#L16 https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/refs/CoreRef.sol#L19
redeemedToken address of constructor() of TribeRedeemer.sol https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/redeem/TribeRedeemer.sol#L32
tokensReceived addresses of constructor() of TribeRedeemer.sol https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/redeem/TribeRedeemer.sol#L33
Add 0-address check for above addresses.
 
There is a wrong error message in the following.
require(_cTokens.length == 27, "Must provide exactly 27 exchange rates.");
Error message should be
require(_cTokens.length == 27, "Must provide exactly 27 cToken");
require(_cTokens.length == 27, "Must provide exactly 27 merkle roots");
Error message should be
require(_cTokens.length == 27, "Must provide exactly 27 cToken");
Change to correct error message as mentioned in above PoC
 
Several function adds return statement even thought named returns variable are used. Remove unnecessary named returns variable to improve code readability. Also keeping the use of named returns or return statement consistent through out the whole project if possible is recommended.
Total of 1 instance found.
Remove unused named returns variable and keep the use of named returns or return statement consistent through out the whole project if possible.
 
Constants should be named with all capital letters with underscores separating words. Reference: https://docs.soliditylang.org/en/v0.8.15/style-guide.html?highlight=naming#constants
Total of 8 instances found.
./SimpleFeiDaiPSM.sol:75: address public constant balanceReportedIn = address(DAI); ./SimpleFeiDaiPSM.sol:92: uint256 public constant mintFeeBasisPoints = 0; ./SimpleFeiDaiPSM.sol:93: uint256 public constant redeemFeeBasisPoints = 0; ./SimpleFeiDaiPSM.sol:94: address public constant underlyingToken = address(DAI); ./SimpleFeiDaiPSM.sol:95: uint256 public constant getMaxMintAmountOut = type(uint256).max; ./SimpleFeiDaiPSM.sol:96: bool public constant paused = false; ./SimpleFeiDaiPSM.sol:97: bool public constant redeemPaused = false; ./SimpleFeiDaiPSM.sol:98: bool public constant mintPaused = false;
Name the constants with all capital letters with underscores separating words.
 
It is best practice to define magic numbers to constant rather than just using as a magic number. This improves code readability and maintainability.
./RariMerkleRedeemer.sol:130: _exchangeRates[i] > 1e10,
./RariMerkleRedeemer.sol:85: return (cTokenExchangeRates[cToken] * amount) / 1e18;
Define magic numbers to constant.
 
Each event should have 3 indexed fields if there are 3 or more fields.
Total of 3 instances found.
./SimpleFeiDaiPSM.sol:27: event Redeem(address to, uint256 amountFeiIn, uint256 amountAssetOut); ./SimpleFeiDaiPSM.sol:29: event Mint(address to, uint256 amountIn, uint256 amountFeiOut); ./TribeRedeemer.sol:14: event Redeemed(address indexed owner, address indexed receiver, uint256 amount, uint256 base);
Use all 3 index fields when possible.
 
It is best practice to lock your pragma instead of using floating pragma. The use of floating pragma has a risk of accidentally get deployed using latest complier which may have higher risk of undiscovered bugs. Reference: https://consensys.github.io/smart-contract-best-practices/development-recommendations/solidity-specific/locking-pragmas/
Total of 2 instances found.
./SimpleFeiDaiPSM.sol:2:pragma solidity ^0.8.4; ./TribeRedeemer.sol:2:pragma solidity ^0.8.4;
I suggest to lock your pragma and aviod using floating pragma.
// bad pragma solidity ^0.8.10; // good pragma solidity 0.8.10;