Platform: Code4rena
Start Date: 01/08/2023
Pot Size: $91,500 USDC
Total HM: 14
Participants: 80
Period: 6 days
Judge: gzeon
Total Solo HM: 6
Id: 269
League: ETH
Rank: 67/80
Findings: 1
Award: $15.35
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Team_FliBit
Also found by: 0x70C9, 3docSec, 8olidity, DavidGiladi, Krace, LokiThe5th, Rolezn, Sathish9098, UniversalCrypto, banpaleo5, catellatech, digitizeworx, fatherOfBlocks, hpsb, j4ld1na, josephdara, kutugu, niser93, nonseodion, oakcobalt, osmanozdemir1, pep7siup, ravikiranweb3, said, sivanesh_808
15.3494 USDC - $15.35
| Number | Issues Details | Count |
|---|---|---|
| [L-1] | Including Critical Parameters in Events | 3 |
| [L-2] | Utilize _safeMint for Safer Minting | 1 |
| [L-3] | Beware of Loss of Funds with payable.transfer | 1 |
| [L-4] | Implementing Maximum Fee Limit Instead of Allowing 100% Fees | 1 |
| [N-1] | Repeated File Imports | 2 |
| [N-2] | Advocate for Distinct Files for Interface Declarations | 2 |
| [N-3] | Variations in Comment Spacing | 1 |
| [N-4] | Limit Usage of All-Capitalized Variable Names to constant/immutable Variables | 2 |
| [N-5] | Indicating Interfaces with I Prefix in Contract Names | 2 |
| [N-6] | Any duplicated require() or revert() checks should be restructured into a modifier or function for better efficiency and readability | 1 |
| [N-7] | Either remove empty blocks or have them emit an event, as they serve no purpose as is | 1 |
| [N-8] | Functions that are certain to revert when invoked by regular users can be designated as payable | 1 |
To ensure the usability and effectiveness of events, it is crucial to include all the necessary parameters, including the source address (msg.sender), when emitting an event. By omitting critical parameters, the event loses its intended purpose as a means for contracts or web pages to react to user actions.
File: OptionsPositionManager.sol emit LiquidatePosition(user, debtAsset, debt, amt0 - amts[0], amt1 - amts[1]);
File: TokenisableRange.sol emit InitTR(address(asset0), address(asset1), startX10, endX10);
</details>File: OptionsPositionManager.sol emit ClosePosition(user, debtAsset, debt, amt0, amt1);
_safeMint for Safer MintingTo enhance the safety and security of the minting process in your contract, it is recommended to use the _safeMint function instead of _mint. The _safeMint function incorporates additional checks and safeguards to mitigate potential risks.
</details>File: GeVault.sol _mint(msg.sender, liquidity);
payable.transfer</details>File: GeVault.sol payable(msg.sender).transfer(bal);
100% FeesTo mitigate potential risks and maintain a balanced fee structure, it is advisable to disallow the setting of fees to 100% altogether. Allowing fees to be set at such a high percentage poses a considerable risk and may have unintended consequences.
</details>File: GeVault.sol function setBaseFee(
Numerous instances have been observed where the same file is imported multiple times.
<details> <summary><i>There are 2 instances of this issue:</i></summary>File: RangeManager.sol import "./openzeppelin-solidity/contracts/token/ERC20/utils/SafeERC20.sol";
</details>File: TokenisableRange.sol import "../interfaces/IAaveOracle.sol";
It's good practice to place interface declarations in a distinct file, rather than housing them within the same file as the contract.
<details> <summary><i>There are 2 instances of this issue:</i></summary>File: LPOracle.sol interface UniswapV2Pair {
File: LPOracle.sol interface IERC20 {
File: V3Proxy.sol interface ISwapRouter {
File: V3Proxy.sol interface IQuoter {
</details>File: V3Proxy.sol interface IWETH9 is IERC20 {
Certain lines exhibit inconsistent spacing in comments. This issue is observed where some lines use "// x" while others use "//x". The examples provided below highlight instances that deviate from the prevailing pattern within each file.
<details> <summary><i>There are 1 instances of this issue:</i></summary></details>File: OptionsPositionManager.sol { //localize vars
constant/immutable VariablesRestrict the application of fully capitalized variable names to constant or immutable variables only. In cases where the variable's value is dependent on its originating class, utilizing a view/pure function is more suitable, as shown in this <a href="https://github.com/OpenZeppelin/openzeppelin-contracts/blob/76eee35971c2541585e05cbf258510dda7b2fbc6/contracts/token/ERC20/extensions/draft-IERC20Permit.sol#L59">example</a>.
File: PositionManager.sol ILendingPoolAddressesProvider public ADDRESSES_PROVIDER; // IFlashLoanReceiver requirement
File: PositionManager.sol ILendingPool public LENDING_POOL; // IFlashLoanReceiver requirement
File: PositionManager.sol RoeRouter public ROEROUTER;
</details>File: GeVault.sol IWETH public WETH;
I Prefix in Contract NamesTo maintain consistency and improve code readability, it is advised to prefix interface names with the letter I in contracts.
File: LPOracle.sol interface UniswapV2Pair {
</details>File: OptionsPositionManager.sol interface AmountsRouter {
require() or revert() checks should be restructured into a modifier or function for better efficiency and readability</details>File: V3Proxy.sol require(path.length == 2, "Direct swap only"); require(path.length == 2, "Direct swap only"); require(path.length == 2, "Direct swap only"); require(path.length == 2, "Direct swap only"); require(path.length == 2, "Direct swap only"); require(path.length == 2, "Direct swap only"); require(path.length == 2, "Direct swap only"); require(path.length == 2, "Direct swap only");
</details>File: OptionsPositionManager.sol constructor (address roerouter) PositionManager(roerouter) {}
payable</details>File: V3Proxy.sol function emergencyWithdraw(ERC20 token) onlyOwner external {
#0 - c4-judge
2023-08-20T16:30:05Z
gzeon-c4 marked the issue as grade-b