Back to WatchPug's contests

Nested Finance contest - WatchPug's results

The one-stop Defi app to build, manage and monetize your portfolio.

General Information

Platform: Code4rena

Start Date: 10/02/2022

Pot Size: $30,000 USDC

Total HM: 5

Participants: 24

Period: 3 days

Judge: harleythedog

Total Solo HM: 3

Id: 86

League: ETH

Nested Finance

Findings Distribution

Researcher Performance

Rank: 19/24

Findings: 1

Award: $90.97

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNested Finance

Findings Information

🌟 Selected for report: pauliax

Also found by: 0xliumin, Dravee, GreyArt, IllIllI, Omik, ShippooorDAO, WatchPug, bobi, csanuragjain, gzeon, kenzo, rfa, robee, samruna

Labels

bug
QA (Quality Assurance)
sponsor confirmed

Awards

90.9726 USDC - $90.97

External Links

Link to GitHub issue

[N1] Unused imports

The following source units are imported but not referenced in the contract:

https://github.com/code-423n4/2022-02-nested/blob/879bae87b1987d6810f25c1082e5bf664390ae7f/contracts/operators/Flat/FlatOperator.sol#L4-L4

import "@openzeppelin/contracts/token/ERC20/IERC20.sol";

https://github.com/code-423n4/2022-02-nested/blob/879bae87b1987d6810f25c1082e5bf664390ae7f/contracts/operators/Flat/IFlatOperator.sol#L4-L4

import "@openzeppelin/contracts/token/ERC20/IERC20.sol";

Recommendation

Check all imports and remove all unused/unreferenced and unnecessary imports.

[N2] Using public to generate the getter function can make the code simpler and cleaner

https://github.com/code-423n4/2022-02-nested/blob/879bae87b1987d6810f25c1082e5bf664390ae7f/contracts/operators/ZeroEx/ZeroExStorage.sol#L7-L19

contract ZeroExStorage is Ownable {
    address private _swapTarget;

    /// @notice Returns the address of 0x swaptarget
    function swapTarget() external view returns (address) {
        return _swapTarget;
    }

    /// @notice Update the address of 0x swaptarget
    function updatesSwapTarget(address swapTargetValue) external onlyOwner {
        _swapTarget = swapTargetValue;
    }
}

Can be changed to:

contract ZeroExStorage is Ownable {
    address public swapTarget;

    /// @notice Update the address of 0x swaptarget
    function updatesSwapTarget(address swapTargetValue) external onlyOwner {
        swapTarget = swapTargetValue;
    }
}

[N3] Inconsistent use of _msgSender()

Direct use of msg.sender vs internal call of _msgSender().

https://github.com/code-423n4/2022-02-nested/blob/879bae87b1987d6810f25c1082e5bf664390ae7f/contracts/operators/ZeroEx/ZeroExOperator.sol#L17-L17

ZeroExStorage(operatorStorage).transferOwnership(msg.sender);

https://github.com/code-423n4/2022-02-nested/blob/879bae87b1987d6810f25c1082e5bf664390ae7f/contracts/NestedReserve.sol#L30-L30

_token.safeTransfer(msg.sender, _amount);

https://github.com/code-423n4/2022-02-nested/blob/879bae87b1987d6810f25c1082e5bf664390ae7f/contracts/abstracts/OwnableFactoryHandler.sol#L21-L21

require(supportedFactories[msg.sender], "OFH: FORBIDDEN");

https://github.com/code-423n4/2022-02-nested/blob/879bae87b1987d6810f25c1082e5bf664390ae7f/contracts/FeeSplitter.sol#L103-L103

require(msg.sender == weth, "FS: ETH_SENDER_NOT_WETH");

https://github.com/code-423n4/2022-02-nested/blob/879bae87b1987d6810f25c1082e5bf664390ae7f/contracts/FeeSplitter.sol#L166-L168

amount = _releaseToken(_msgSender(), _tokens[i]);
_tokens[i].safeTransfer(_msgSender(), amount);
emit PaymentReleased(_msgSender(), address(_tokens[i]), amount);

https://github.com/code-423n4/2022-02-nested/blob/879bae87b1987d6810f25c1082e5bf664390ae7f/contracts/FeeSplitter.sol#L199-L199

_token.safeTransferFrom(_msgSender(), address(this), _amount);

Recommendation

Consider replacing _msgSender() with msg.sender for consistency.

#0 - maximebrugel

2022-02-15T15:08:37Z

"Unused imports" (Confirmed)

"Using public to generate the getter function can make the code simpler and cleaner" (Confirmed)

"Inconsistent use of _msgSender()" (Disputed)

The one with msg.sender are used when meta transactions are not supported (sender is WETH, Nested Factory,...)

#1 - harleythedogC4

2022-03-01T02:21:25Z

My personal judgements:

  1. "[N1] Unused imports". Valid and non-critical.
  2. "[N2] Using public to generate the getter function can make the code simpler and cleaner". Valid and non-critical.
  3. "[N3] Inconsistent use of _msgSender()". As sponsor describes. Invalid.

#2 - harleythedogC4

2022-03-03T02:27:16Z

Now, here is the methodology I used for calculating a score for each QA report. I first assigned each submission to be either non-critical (1 point), very-low-critical (5 points) or low-critical (10 points), depending on how severe/useful the issue is. The score of a QA report is the sum of these points, divided by the maximum number of points achieved by a QA report. This maximum number was 26 points, achieved by https://github.com/code-423n4/2022-02-nested-findings/issues/66.

The number of points achieved by this report is 2 points. Thus the final score of this QA report is (2/26)*100 = 8.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter