Back to alexzoid's contests

Centrifuge - alexzoid's results

The institutional ecosystem for on-chain credit.

General Information

Platform: Code4rena

Start Date: 08/09/2023

Pot Size: $70,000 USDC

Total HM: 8

Participants: 84

Period: 6 days

Judge: gzeon

Total Solo HM: 2

Id: 285

League: ETH

Centrifuge

Findings Distribution

Researcher Performance

Rank: 83/84

Findings: 1

Award: $12.79

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCentrifuge

Findings Information

🌟 Selected for report: castle_chain

Also found by: 0xAadi, 0xHelium, 0xLook, 0xblackskull, 0xfuje, 0xmystery, 0xnev, 0xpiken, 7ashraf, BARW, Bauchibred, Bughunter101, Ch_301, JP_Courses, Kaysoft, Krace, MohammedRizwan, SanketKogekar, Sathish9098, alexzoid, ast3ros, btk, catellatech, degensec, fatherOfBlocks, grearlake, imtybik, jkoppel, jolah1, klau5, lsaudit, m_Rassska, merlin, mrudenko, nobody2018, rokinot, rvierdiiev, sandy

Awards

12.7917 USDC - $12.79

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-08

External Links

Link to GitHub issue

Optimizing the ERC20 Implementation: Inheritance from the Auth Contract

Instead of duplicating functions and modifiers, consider having the ERC20 contract inherit from the Auth contract. This will automatically provide the ERC20 contract with all the functionalities of the Auth contract without the need for duplication.

contract ERC20 is Auth, Context { ... }

Membership Management Limitations in the RestrictionManager Contract

There is no function to remove or invalidate a member's membership. While the updateMember function allows setting a new validity period for a member, it does not provide a mechanism to invalidate a member immediately. This is a potential oversight as there might be scenarios where a member needs to be removed or suspended immediately, without waiting for their membership to expire.

Consider implementing a removeMember function that sets the validUntil timestamp of a member to a past date, effectively invalidating their membership.

Functionality Gaps in the TrancheToken Contract: The Need for Token Burn Capabilities

The TrancheToken contract is designed as an extension of the standard ERC20 token, with added functionalities from the ERC1404 standard. Its primary goal is to implement transfer restrictions based on the rules defined in the associated RestrictionManager. While the contract provides functionalities for creating tokens (mint), it doesn't have an equivalent burn function to allow for the destruction of tokens.

Introduce a burn function in the TrancheToken contract that allows token holders or authorized addresses to destroy a specified amount of tokens.

function burn(address from, uint256 value) public override restricted(_msgSender(), from, value) {
    return super.burn(from, value);
}

Leveraging Interface Inheritance Across Contracts

Inheritance from interface are missed across the contracts. When a contract inherits from an interface, it's mandated to provide implementations for all the methods declared in that interface. This ensures a strict adherence to a specific contract API.

Create a distinct file for each interface, named appropriately. Implement inheritance from contract's interface, e.g.:

contract RestrictionManager is Auth, MemberlistLike {
contract LiquidityPoolFactory is Auth, LiquidityPoolFactoryLike {
contract TrancheTokenFactory is Auth, TrancheTokenFactoryLike {

#0 - c4-pre-sort

2023-09-17T01:43:26Z

raymondfam marked the issue as sufficient quality report

#1 - c4-judge

2023-09-26T17:37:17Z

gzeon-c4 marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter