Back to arialblack14's contests

Astaria contest - arialblack14's results

On a mission is to build a highly liquid NFT lending market.

General Information

Platform: Code4rena

Start Date: 05/01/2023

Pot Size: $90,500 USDC

Total HM: 55

Participants: 103

Period: 14 days

Judge: Picodes

Total Solo HM: 18

Id: 202

League: ETH

Astaria

Findings Distribution

Researcher Performance

Rank: 81/103

Findings: 1

Award: $51.32

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAstaria

Findings Information

🌟 Selected for report: ladboy233

Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xbepresent, 0xkato, Aymen0909, CodingNameKiki, Cryptor, Deekshith99, Deivitto, HE1M, IllIllI, Kaysoft, Koolex, PaludoX0, Qeew, RaymondFam, Rolezn, Sathish9098, Tointer, a12jmx, arialblack14, ast3ros, ayeslick, bin2chen, btk, caventa, ch0bu, chaduke, chrisdior4, delfin454000, descharre, evan, fatherOfBlocks, georgits, gz627, jasonxiale, joestakey, kaden, lukris02, nicobevi, nogo, oberon, oyc_109, pfapostol, rbserver, sakshamguruji, seeu, shark, simon135, slvDev, synackrst, tnevler, whilom, zaskoh

Awards

51.3151 USDC - $51.32

Labels

bug
grade-b
QA (Quality Assurance)
edited-by-warden
Q-60

External Links

Link to GitHub issue

QA REPORT

[L-1] Use of block.timestamp

Description

Block timestamps have historically been used for a variety of applications, such as entropy for random numbers (see the Entropy Illusion for further details), locking funds for periods of time, and various state-changing conditional statements that are time-dependent. Miners have the ability to adjust timestamps slightly, which can prove to be dangerous if block timestamps are used incorrectly in smart contracts.

✅ Recommendation

Use oracle instead of block.timestamp

🔍 Findings:

2023-01-astaria/src/AstariaRouter.sol#L439if (block.timestamp > commitment.lienRequest.strategy.deadline) {
2023-01-astaria/src/AstariaRouter.sol#L617[return (stack.point.end <= block.timestamp
2023-01-astaria/src/AstariaRouter.sol#L698newLien.details.duration + block.timestamp >=
2023-01-astaria/src/AstariaRouter.sol#L700(block.timestamp + newLien.details.duration - stack[position].point.end >=
2023-01-astaria/src/AstariaRouter.sol#L738block.timestamp,
2023-01-astaria/src/CollateralToken.sol#L132if (block.timestamp < params.endTime) {
2023-01-astaria/src/CollateralToken.sol#L468startTime: uint256(block.timestamp),
2023-01-astaria/src/CollateralToken.sol#L469endTime: uint256(block.timestamp + maxDuration),
2023-01-astaria/src/LienToken.sol#L112if (block.timestamp >= params.encumber.stack[params.position].point.end) {
2023-01-astaria/src/LienToken.sol#L156if (block.timestamp >= params.encumber.stack[j].point.end) {
2023-01-astaria/src/LienToken.sol#L247return _getInterest(stack, block.timestamp);
2023-01-astaria/src/LienToken.sol#L309uint88 owed = _getOwed(stack[i], block.timestamp);
2023-01-astaria/src/LienToken.sol#L335auctionData.startTime = block.timestamp.safeCastTo48();
2023-01-astaria/src/LienToken.sol#L336auctionData.endTime = (block.timestamp + auctionWindow).safeCastTo48();
2023-01-astaria/src/LienToken.sol#L452last: block.timestamp.safeCastTo40(),
2023-01-astaria/src/LienToken.sol#L453end: (block.timestamp + params.lien.details.duration).safeCastTo40()
2023-01-astaria/src/LienToken.sol#L475if (block.timestamp >= newStack[j].point.end) {
2023-01-astaria/src/LienToken.sol#L590owed = _getOwed(stack, block.timestamp);
2023-01-astaria/src/LienToken.sol#L744return _getOwed(stack, block.timestamp);
2023-01-astaria/src/LienToken.sol#L780uint256 delta_t = stack.point.end - block.timestamp;
2023-01-astaria/src/LienToken.sol#L805if (block.timestamp >= end) {
2023-01-astaria/src/LienToken.sol#L808uint256 owed = _getOwed(stack, block.timestamp);
2023-01-astaria/src/LienToken.sol#L827stack.point.last = block.timestamp.safeCastTo40();
2023-01-astaria/src/PublicVault.sol#L468s.last = block.timestamp.safeCastTo40();
2023-01-astaria/src/PublicVault.sol#L491uint256 delta_t = block.timestamp - s.last;
2023-01-astaria/src/PublicVault.sol#L625s.last = block.timestamp.safeCastTo40();
2023-01-astaria/src/PublicVault.sol#L706if (block.timestamp >= epochEnd) {
2023-01-astaria/src/PublicVault.sol#L710return epochEnd - block.timestamp;
2023-01-astaria/src/WithdrawProxy.sol#L250if (block.timestamp < s.finalAuctionEnd) {
2023-01-astaria/src/WithdrawProxy.sol#L314uint40 auctionEnd = (block.timestamp + finalAuctionDelta).safeCastTo40();

[N-1] Lines are too long.

Description

Usually lines in source code are limited to 80 characters. Today's screens are much larger so it's reasonable to stretch this in some cases. Since the files will most likely reside in GitHub, and GitHub starts using a scroll bar in all cases when the length is over 164 characters, the lines below should be split when they reach that length

✅ Recommendation

Reduce number of characters per line to improve readability.

🔍 Findings:

2023-01-astaria/src/AstariaRouter.sol#L75* @dev Setup transfer authority and set up addresses for deployed CollateralToken, LienToken, TransferProxy contracts, as well as PublicVault and SoloVault implementations to clone.
2023-01-astaria/src/LienToken.sol#L42* @notice This contract handles the creation, payments, buyouts, and liquidations of tokenized NFT-collateralized debt (liens). Vaults which originate loans against supported collateral are issued a LienToken representing the right to loan repayments and auctioned funds on liquidation.
2023-01-astaria/src/VaultImplementation.sol#L282* Starts by depositing collateral and take optimized-out a lien against it. Next, verifies the merkle proof for a loan commitment. Vault owners are then rewarded fees for successful loan origination.
2023-01-astaria/src/VaultImplementation.sol#L363* @notice Retrieves the recipient of loan repayments. For PublicVaults (VAULT_TYPE 2), this is always the vault address. For PrivateVaults, retrieves the owner() of the vault.
2023-01-astaria/src/WithdrawProxy.sol#L54uint88 expected; // The sum of the remaining debt (amountOwed) accrued against the NFT at the timestamp when it is liquidated. yIntercept (virtual assets) of a PublicVault are not modified on liquidation, only once an auction is completed.
2023-01-astaria/src/WithdrawProxy.sol#L56uint256 withdrawReserveReceived; // amount received from PublicVault. The WETH balance of this contract - withdrawReserveReceived = amount received from liquidations.
2023-01-astaria/src/interfaces/ICollateralToken.sol#L100* @notice Executes a FlashAction using locked collateral. A valid FlashAction performs a specified action with the collateral within a single transaction and must end with the collateral being returned to the Vault it was locked in.
2023-01-astaria/src/interfaces/IWithdrawProxy.sol#L27* @notice Called at epoch boundary, computes the ratio between the funds of withdrawing liquidity providers and the balance of the underlying PublicVault so that claim() proportionally pays optimized-out to all parties.
2023-01-astaria/src/interfaces/IWithdrawProxy.sol#L35* @param finalAuctionDelta The timestamp by which the auction being added is guaranteed to end. As new auctions are added to the WithdrawProxy, this value will strictly increase as all auctions have the same maximum duration.

#0 - c4-judge

2023-01-26T15:02:44Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter