Platform: Code4rena
Start Date: 21/04/2022
Pot Size: $100,000 USDC
Total HM: 18
Participants: 60
Period: 7 days
Judge: gzeon
Total Solo HM: 10
Id: 112
League: ETH
Rank: 20/60
Findings: 3
Award: $522.45
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Dravee
Also found by: IllIllI, MaratCerby, UnusualTurtle, WatchPug, antonttc, berndartmueller, cccz, danb, horsefacts, hyh, pauliax, rayn, wuwe1
User funds can be locked by using a smart contract wallet with inefficient callback, or by future hardforks that change the gas consumption.
address.transfer has been suggested to deprecate by most auditors, because of the potential OOG error. However, payable(address).transfer is still use heavily through out the codeabase.
Reference: https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
use call instead:
(bool success, ) = msg.sender.call.value(amount)(""); require(success, "Transfer failed.");
#0 - chase-manning
2022-04-28T11:41:03Z
Duplicate of #52
293.0606 USDC - $293.06
The function doesn't remove the address from _roleMembers[role] set, which will mess up with the roleCount
_roles[role].members[account] = false; _roleMembers[role].remove(account);
#0 - gzeoneth
2022-05-07T17:19:50Z
Low probability and asset will not be lost directly. Judging this and all duplicates as Med Risk.
#1 - gzeoneth
2022-05-08T19:07:28Z
I believe #83 described this better.
#2 - chase-manning
2022-05-11T14:56:46Z
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x52, 0xDjango, 0xkatana, Dravee, Funen, Kenshin, Ruhum, StyxRave, Tadashi, TerrierLover, TrungOre, antonttc, berndartmueller, catchup, csanuragjain, defsec, dipp, fatherOfBlocks, hake, horsefacts, hubble, jayjonah8, joestakey, kebabsec, kenta, m4rio_eth, oyc_109, pauliax, peritoflores, rayn, remora, robee, securerodd, simon135, sorrynotsorry, sseefried, z3s
159.3125 USDC - $159.31
The current code returns the following:
return (roundId_, (answer_ * _ethPrice()) / 1e8, startedAt_, updatedAt_, answeredInRound_);
If we're wrapping an asset that's relatively stable to eth price, the answer here might not be updated constantly. By returning the startedAt of the last answer update, it's possible that this answer be considered "stale" from the protocol.
It's better to return the new updatedAt_ at the greater of the two:
updatedAt_ from eth oracle,updatedAt_ from the asset oracleThis way, if asset/eth is unchanged for a while, but there's a eth price move, we capture the correct updatedAt timestamp
#0 - gzeoneth
2022-05-09T14:55:43Z
I believe this is low risk since it can have benefit do consider the price is stale when any of the 2 price is not updated.
#1 - gzeoneth
2022-05-09T14:56:22Z
Considering as warden's QA report.
#2 - JeeberC4
2022-05-09T16:20:01Z
Preserving original title as warden did not submit a QA Report and issue was downgraded by judge: Bad updatedAt returned by ChainlinkUsdWrapper.latestRoundData
#3 - chase-manning
2022-05-11T14:56:17Z