Platform: Code4rena
Start Date: 28/09/2023
Pot Size: $36,500 USDC
Total HM: 5
Participants: 115
Period: 6 days
Judge: 0xDjango
Total Solo HM: 1
Id: 290
League: ETH
Rank: 100/115
Findings: 1
Award: $4.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Bauchibred
Also found by: 0x3b, 0xDetermination, 0xMosh, 0xScourgedev, 0xTheC0der, 0xTiwa, 0xWaitress, 0xdice91, 0xfusion, 0xpiken, 0xprinc, 0xweb3boy, ArmedGoose, Aymen0909, Breeje, Brenzee, Daniel526, DavidGiladi, DeFiHackLabs, Flora, Fulum, HChang26, Hama, IceBear, J4X, Krace, KrisApostolov, Maroutis, Mirror, MohammedRizwan, Norah, PwnStars, SPYBOY, TangYuanShen, Testerbot, ThreeSigma, Tricko, al88nsk, alexweb3, ast3ros, berlin-101, bin2chen, blutorque, btk, d3e4, deth, e0d1n, ether_sky, ge6a, gkrastenov, glcanvas, hals, imare, inzinko, jkoppel, jnforja, joaovwfreire, josephdara, kutugu, lotux, lsaudit, mahdirostami, merlin, n1punp, nadin, neumo, nisedo, nobody2018, oakcobalt, orion, peanuts, pep7siup, pina, ptsanev, rokinot, rvierdiiev, said, santipu_, sashik_eth, seerether, squeaky_cactus, terrancrypt, tonisives, twicek, vagrant, xAriextz, y4y
4.3669 USDC - $4.37
| Identifier | Issue |
|---|---|
| L-01 | Consider using continue instead of reverting in Prime::updateScores(). |
| L-02 | Consider limiting _alphaDenominator max value. |
| QA-01 | Fix UpdatedAssetsState NatSpec |
| QA-02 | Fix UpdatedAssetsState NatSpec. |
| QA-03 | Typos |
continue instead of reverting in Prime::updateScores().Reverting when user doesn't hold Prime tokens may open possibilities for malicious users to DoS Prime::updateScores(). To illustrate this point, consider the following scenario: a malicious user front-runs the updateScores transaction, unstakes his XVS tokens, resulting in his token being burned, and subsequently causing updateScores to revert. To mitigate this risk, consider using the continue statement to skip the specific loop iteration for users who currently do not possess Prime tokens, rather than reverting, like show below.
function updateScores(address[] memory users) external { if (pendingScoreUpdates == 0) revert NoScoreUpdatesRequired(); if (nextScoreUpdateRoundId == 0) revert NoScoreUpdatesRequired(); for (uint256 i = 0; i < users.length; ) { address user = users[i]; - if (!tokens[user].exists) revert UserHasNoPrimeToken(); + if (!tokens[user].exists) continue; if (isScoreUpdated[nextScoreUpdateRoundId][user]) continue;
_alphaDenominator max value._checkAlphaArguments verifies newly set alpha parameters. However it only checks if _alphaDenominator == 0 and _alphaNumerator > _alphaDenominator. Setting _alphaNumerator or _alphaDenominator high enough can make Scores::calculateScore() always revert due to the conversion to int256. Consider checking that _alphaDenominator <= type(int256).max
UpdatedAssetsState NatSpec.- /// @notice Emitted asset state is update by protocol share reserve + /// @notice Emitted when asset state is update by protocol share reserve event UpdatedAssetsState(address indexed comptroller, address indexed asset);
getAllMarkets() NatSpec./** * @notice Retrieves an array of all available markets - * @return an array of addresses representing all available markets + * @return allMarkets an array of addresses representing all available markets */ function getAllMarkets() external view returns (address[] memory) { return allMarkets; }
- * @notice accrues interes and updates score for an user for a specific market + * @notice accrues interest and updates score for an user for a specific market
- * @notice accrues interes and updates score of all markets for an user + * @notice accrues interest and updates score of all markets for an user
#0 - c4-pre-sort
2023-10-07T02:20:01Z
0xRobocop marked the issue as low quality report
#1 - c4-judge
2023-11-03T02:25:18Z
fatherGoose1 marked the issue as grade-b