Venus Prime - alexweb3's results

Earn, borrow & lend on the #1 Decentralized Money Market on the BNB chain.

General Information

Platform: Code4rena

Start Date: 28/09/2023

Pot Size: $36,500 USDC

Total HM: 5

Participants: 115

Period: 6 days

Judge: 0xDjango

Total Solo HM: 1

Id: 290

League: ETH

Venus Protocol

Findings Distribution

Researcher Performance

Rank: 99/115

Findings: 1

Award: $4.37

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Venus Protocol

Findings Information

🌟 Selected for report: Bauchibred

Also found by: 0x3b, 0xDetermination, 0xMosh, 0xScourgedev, 0xTheC0der, 0xTiwa, 0xWaitress, 0xdice91, 0xfusion, 0xpiken, 0xprinc, 0xweb3boy, ArmedGoose, Aymen0909, Breeje, Brenzee, Daniel526, DavidGiladi, DeFiHackLabs, Flora, Fulum, HChang26, Hama, IceBear, J4X, Krace, KrisApostolov, Maroutis, Mirror, MohammedRizwan, Norah, PwnStars, SPYBOY, TangYuanShen, Testerbot, ThreeSigma, Tricko, al88nsk, alexweb3, ast3ros, berlin-101, bin2chen, blutorque, btk, d3e4, deth, e0d1n, ether_sky, ge6a, gkrastenov, glcanvas, hals, imare, inzinko, jkoppel, jnforja, joaovwfreire, josephdara, kutugu, lotux, lsaudit, mahdirostami, merlin, n1punp, nadin, neumo, nisedo, nobody2018, oakcobalt, orion, peanuts, pep7siup, pina, ptsanev, rokinot, rvierdiiev, said, santipu_, sashik_eth, seerether, squeaky_cactus, terrancrypt, tonisives, twicek, vagrant, xAriextz, y4y

Awards

4.3669 USDC - $4.37

Labels

bug

downgraded by judge

grade-b

low quality report

QA (Quality Assurance)

Q-28

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L103-L114

Vulnerability details

Impact

The immutable variables WBNB, VBNB and BLOCKS_PER_YEAR are set in the constructor of the upgradeable implementation contract and therefore they won't be saved in the proxy's storage. The OpenZeppelin documentation says that all variables should be set in an initialize function, one that the Prime.sol contract already has.

Tools Used

Manual Review

Recommended Mitigation Steps

Move the lines of code for settings the 3 variables from the constructor into the initialize function.

Assessed type

Upgradable

#0 - 0xRobocop
2023-10-07T00:24:24Z

Consider QA

#1 - c4-pre-sort
2023-10-07T00:24:28Z

0xRobocop marked the issue as low quality report

#2 - c4-judge
2023-11-01T19:54:48Z

fatherGoose1 changed the severity to QA (Quality Assurance)

#3 - fatherGoose1
2023-11-01T19:55:17Z

QA. Helpful information without likely possibility of causing error.

#4 - c4-judge
2023-11-03T02:40:17Z

fatherGoose1 marked the issue as grade-b

Venus Prime - alexweb3's results

Earn, borrow & lend on the #1 Decentralized Money Market on the BNB chain.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-28] QA Report - $4.37

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - 0xRobocop2023-10-07T00:24:24Z

#1 - c4-pre-sort2023-10-07T00:24:28Z

#2 - c4-judge2023-11-01T19:54:48Z

#3 - fatherGoose12023-11-01T19:55:17Z

#4 - c4-judge2023-11-03T02:40:17Z

#0 - 0xRobocop
2023-10-07T00:24:24Z

#1 - c4-pre-sort
2023-10-07T00:24:28Z

#2 - c4-judge
2023-11-01T19:54:48Z

#3 - fatherGoose1
2023-11-01T19:55:17Z

#4 - c4-judge
2023-11-03T02:40:17Z