Platform: Code4rena
Start Date: 01/08/2022
Pot Size: $50,000 USDC
Total HM: 26
Participants: 133
Period: 5 days
Judge: Jack the Pug
Total Solo HM: 6
Id: 151
League: ETH
Rank: 21/133
Findings: 3
Award: $491.95
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: scaraven
Also found by: 0x52, Deivitto, Lambda, TrungOre, auditor0517, hansfriese, rbserver, simon135, smiling_heretic, sseefried
165.6336 USDC - $165.63
https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Community.sol#L684-L694
Community's owner lose amount of interest from project (up to half of total interest)
When builder repay any loan amount by function repayLender() (or community call function lendToProject()), function claimInterest() in contract Community will be called and then calculate the interest in function returnToLender()
It will calculate number of days difference current and last timestamp
uint256 _noOfDays = (block.timestamp - _communityProject.lastTimestamp) / 86400; // 24*60*60
Here, the calculation skipped (block.timestamp - _communityProject.lastTimestamp) % 86400 seconds. The more number of calls repayLender() and lendToProject(), the more time was skipped.
After that:
uint256 _unclaimedInterest = _lentAmount * _communities[_communityID].projectDetails[_project].apr * _noOfDays / 365000;
When _unclaimedInterest > 0 (means _noOfDays > 0), variable lastTimestamp will be updated in function claimInterst(). Then amount of redundant seconds will be accrued (can up to a half of total time).
Builder will call repayLender() (any amount > 0, such as 1 wei) continuously with number of seconds difference is smaller and close to 86400 * 2. After 1 year (365 days), the total interest was calculated by about 183 days, then community's owner has lost almost half of total interest which should be claimed from this project.
Manual review
Should calculate the interest based unit seconds instead of days.
uint256 _differentTime = block.timestamp - _communityProject.lastTimestamp; uint256 _unclaimedInterest = _lentAmount * _communities[_communityID].projectDetails[_project].apr * differentTime / (365000 * 86400);
#0 - horsefacts
2022-08-06T20:40:23Z
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFiProxy.sol#L87-L89 https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFiProxy.sol#L216-L230
Lose control of deployed proxy
HomeFi Proxy is responsible for initializing all the modules contract in the correct sequential order and generate upgradable proxy for them. But after generating proxy for each module, it didn't call initialize for that contract. It can lead to scenario that attacker/miner can front-run to initialize() the contract first and take control of that contract.
In some cases, because of the carelessness of deployer, they doesn't check the transaction initialize() that they call reverted or not can lead to some bad scenarios (because the module contracts is controlled by someone else).
Manual review
call initialize() after generateProxy() in the same transaction
#0 - parv3213
2022-08-11T17:47:39Z
duplicate of #6
🌟 Selected for report: Lambda
Also found by: 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xNineDec, 0xSmartContract, 0xSolus, 0xf15ers, 0xkatana, 0xsolstars, 8olidity, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Funen, GalloDaSballo, Guardian, IllIllI, JC, Jujic, MEP, Noah3o6, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, Soosh, Throne6g, TomJ, Tomio, TrungOre, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, arcoun, asutorufos, ayeslick, benbaessler, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, codexploder, cryptonue, cryptphi, defsec, delfin454000, dipp, djxploit, erictee, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hyh, ignacio, indijanc, joestakey, kaden, mics, minhquanym, neumo, obront, oyc_109, p_crypt0, pfapostol, poirots, rbserver, robee, rokinot, rotcivegaf, sach1r0, saian, samruna, saneryee, scaraven, sikorico, simon135, sseefried, supernova
40.6234 USDC - $40.62
tags: c4, 2022-08-rigor, QA
tokenCurrency1, tokenCurrency2, tokenCurrency3 is not used anywhere in the contract except setting it equal to homeFi.tokenCurrency in initialize() function.
Consider to remove these variable
mintNFT() no need to returnhttps://github.com/code-423n4/2022-08-rigor/blob/main/contracts/HomeFi.sol#L284-L297
projectCount is global variable so it can be used instead of return variable from mintNFT(). And the return variable of mintNFT() has been never used.
https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/HomeFi.sol#L225