Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 97/125
Findings: 1
Award: $9.82
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RED-LOTUS-REACH
Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie
9.8204 USDC - $9.82
setRewards() should have an event and return a boolean for success/failure.setRewards() in LendingLedger.sol doesn't emit any events when the rewards are set. It's an important function but doesn't emit anything for users to follow or monitor. When I was testing I was able to flip _fromEpoch/_toEpoch and although the rewards are not set as someone calling the function you don't know whether it worked or failed.
setRewards() in LendingLedger.sol should have an event and return a boolean for success or failure.
setRewards() doesn't require _toEpoch > _fromEpochsetRewards() in LendingLedger.sol checks that _fromEpoch and _toEpoch are valid epochs (is_valid_epoch) but doesn't check _toEpoch > _fromEpoch.
setRewards() in LendingLedger.sol should require(_toEpoch > _fromEpoch, "Invalid range: valid timestamps, wrong way round");. claim() has a similar issue. The concern here is some change is made to the functionality of setRewards() or claim() before deployment and an edge case bug slips in when this require/check would eliminate it.
receive() function allows CANTO/ETH to be sent directly to the contractThe receive() function allows anyone to send CANTO/ETH to the contract and if sent in error it cannot be retrieved.
There could be a payable function like transferRewards() that could be payable and used by onlyGovernance to transfer CANTO/ETH to the contract. setRewards() could be modified to do this but it has a different focus/purpose. The receive function can then removed and tests can be updated in LendingLedger.t.sol to remove the transfer and use vm.deal.
_checkpoint() iterates over 255 weeks when there are 260 weeks in 5 yearsThe _checkpoint() function iterates over 255 weeks instead of 260 weeks (weeks in 5 years).
This should be changed to for (uint256 i = 0; i < 259; i++) { to incorporate 260 weeks in 5 years.
#0 - c4-judge
2023-08-22T14:12:24Z
alcueca marked the issue as grade-a