Platform: Code4rena
Start Date: 15/06/2022
Pot Size: $30,000 USDC
Total HM: 5
Participants: 55
Period: 3 days
Judge: Jack the Pug
Id: 138
League: ETH
Rank: 42/55
Findings: 1
Award: $51.26
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xFar5eer, 0xNazgul, 0xNineDec, 242, Chom, Czar102, Funen, GimelSec, Meera, Picodes, Sm4rty, Tadashi, TerrierLover, Waze, _Adam, a12jmx, asutorufos, codexploder, cryptphi, defsec, gzeon, hyh, joestakey, minhquanym, oyc_109, reassor, robee, saian, sorrynotsorry, unforgiven, zzzitron
51.2645 USDC - $51.26
L-1 Check that Contract Exists before using solmate's SafeTransferLib
As a call to an address with no code will be a no-op, since low-level calls to non-contracts always return true, a transfer of tokens using solmate's SafeTransferLib will succeed if the token does not have any code.
Therefore, it is recommended to verify that a contract exists before using any SafeTransferLib functions.
MyStratgey.sol L#423
Should use check to see if it exist:
require(token.code.length != 0, "Token does not exist"); before using safetransferfrom
L-2 Missing checks for address when assigning values to address state variables MyStratgey.sol L#86-101
N-1 Open TODO An open TODO is present in MyStratgey.sol L#284&422 It is recommended to avoid open TODOs as they may indicate programming errors that still need to be fixed.
N-2 Insufficient input validation
Considering that _vault is a crucial settings, it's necessary to add require(_vault != address(0), "...") to validate the input address.
MyStratgey.sol L#56
#0 - GalloDaSballo
2022-06-19T01:27:53Z
Sponsor may consider raising to med
Disagree, check the bot
Have you found any?
The call to Vault.token will fail if the address is 0, hence I must disagree
#1 - jack-the-pug
2022-07-10T08:31:50Z
L-1: but it's not solmate's SafeTransferLib: https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L9