Platform: Code4rena
Start Date: 12/08/2022
Pot Size: $50,000 USDC
Total HM: 15
Participants: 120
Period: 5 days
Judge: Justin Goro
Total Solo HM: 6
Id: 153
League: ETH
Rank: 76/120
Findings: 1
Award: $50.07
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0x1f8b
Also found by: 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xSmartContract, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, EthLedger, Funen, IllIllI, JC, Junnon, Lambda, LeoS, MiloTruck, Noah3o6, PaludoX0, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, SaharAP, Sm4rty, SooYa, The_GUILD, TomJ, Waze, Yiko, _Adam, __141345__, a12jmx, ak1, asutorufos, auditor0517, ayeslick, ballx, beelzebufo, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, cccz, cryptonue, cryptphi, d3e4, delfin454000, dipp, djxploit, durianSausage, dy, erictee, fatherOfBlocks, gogo, gzeon, hyh, ignacio, kyteg, ladboy233, medikko, mics, minhquanym, oyc_109, pfapostol, rbserver, reassor, ret2basic, robee, sach1r0, simon135, sryysryy, tabish, yac, yash90, zzzitron
50.0701 USDC - $50.07
L-01: FraxlendPairDeployer.sol deployCustom() restrict name!="public", to avoid deploy() the same configData can not be deploy
function deployCustom( string memory _name, bytes memory _configData, uint256 _maxLTV, uint256 _liquidationFee, uint256 _maturityDate, uint256 _penaltyRate, address[] memory _approvedBorrowers, address[] memory _approvedLenders ) external returns (address _pairAddress) { ... +++ require((keccak256(bytes(_name)) != keccak256(bytes("public"))),"invalid name"); _pairAddress = _deployFirst( keccak256(abi.encodePacked(_name)), _configData, abi.encode( CIRCUIT_BREAKER_ADDRESS, COMPTROLLER_ADDRESS, TIME_LOCK_ADDRESS, FRAXLEND_WHITELIST_ADDRESS ), _maxLTV, _liquidationFee, _maturityDate, _penaltyRate, _approvedBorrowers.length > 0, _approvedLenders.length > 0 );
L-02:FraxlendWhitelist/FraxlendPair inheritance interfaces, avoid method name errors
--- contract FraxlendWhitelist is Ownable { +++ contract FraxlendWhitelist is Ownable , IFraxlendWhitelist { ..
--- contract FraxlendPair is FraxlendPairCore { +++ contract FraxlendPair is IFraxlendPair, FraxlendPairCore { ...
L-03:FraxlendPairCore.sol add validity determination of maturityDate/_penaltyRate maturityDate, _penaltyRate can not be modified after setting, many access operations will use this value, it is recommended to add validity
constructor( bytes memory _configData, bytes memory _immutables, uint256 _maxLTV, uint256 _liquidationFee, uint256 _maturityDate, uint256 _penaltyRate, bool _isBorrowerWhitelistActive, bool _isLenderWhitelistActive ) { ... // Set maturity date & penalty interest rate +++ require((_maturityDate == 0 || _maturityDate >= block.timestamp),"invalid maturityDate"); +++ require(_penaltyRate < 1e18, "invalid penaltyRate"); maturityDate = _maturityDate; penaltyRate = _penaltyRate;