Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 24/101
Findings: 1
Award: $34.50
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
34.5035 USDC - $34.50
There is sign function in RariMerkleRedeemer. It accepts signature as a parameter and checks it is validity. Specifically, the function performs such checks.
require(ECDSA.recover(MESSAGE_HASH, _signature) == msg.sender, "Signature not valid");
According to the code,
/// @notice The message to be signed by any users claiming on cTokens string public constant MESSAGE = "Sample message, please update."; /// @notice The hash of the message to be signed by any users claiming on cTokens bytes32 public MESSAGE_HASH = ECDSA.toEthSignedMessageHash(bytes(MESSAGE));
So, the message that the user signs is Sample message, please update., seems like it should be changed to another message with useful information.
There is Redeem and Mint events in SimpleFeiDaiPSM.
/// @notice event emitted upon a redemption event Redeem(address to, uint256 amountFeiIn, uint256 amountAssetOut); /// @notice event emitted when fei gets minted event Mint(address to, uint256 amountIn, uint256 amountFeiOut);
It reasonable to make to parameter as indexed.
Also, in TribeRedeemer there is an event with analogical indexed variable:
/// @notice event to track redemptions event Redeemed(address indexed owner, address indexed receiver, uint256 amount, uint256 base);
The logic corresponding to hasSigned and hasNotSigned modifiers from RariMerkleRedeemer contract is redundant. hasSigned check that msg.sender already signed message but actally this msg.sender calls such a function, so he is always agree to call such logic. hasNotSigned also redundant it is used only before calling _sign function and makes no practical sense.