Platform: Code4rena
Start Date: 02/08/2022
Pot Size: $50,000 USDC
Total HM: 12
Participants: 69
Period: 5 days
Judge: gzeon
Total Solo HM: 5
Id: 150
League: ETH
Rank: 42/69
Findings: 2
Award: $107.00
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xc0ffEE, 8olidity, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, Funen, JC, JohnSmith, NoamYakov, ReyAdmirado, Rohan16, Rolezn, Sm4rty, SooYa, TomFrenchBlockchain, TomJ, Waze, __141345__, ajtra, ak1, aysha, bin2chen, bobirichman, brgltd, bulej93, c3phas, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, horsefacts, hyh, ladboy233, mics, natzuu, nxrblsrpr, oyc_109, rbserver, samruna, sikorico, simon135, tofunmi, wagmi
67.7324 USDC - $67.73
OpenZeppelin recommends adding an empty constructor with the initializer modifier in order to avoid exploits.
File: contracts/proxy/MIMOProxy.sol#L12 12: contract MIMOProxy is IMIMOProxy, Initializable, BoringBatchable {
https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxy.sol#L12
Add an empty constructor with the initializer modifier.
OpenZeppelin's main concern is for contracts using UUPSUpgradeable. However, I would still recommend adding it for all contracts using Initializable as an extra layer of security to avoid having to send a transaction to invoke initialize() after the contract is deployed to ensure no one else can initialize.
constructor() initializer {}
Locking the pragma will make sure that the contract does not get deployed using outdated compiler versions.
File: contracts/proxy/MIMOProxy.sol 2: pragma solidity >=0.8.4;
https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxy.sol
File: contracts/proxy/MIMOProxyFactory.sol 2: pragma solidity >=0.8.4;
https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxyFactory.sol
File: contracts/proxy/interfaces/IMIMOProxyFactory.sol 2: pragma solidity ^0.8.4;
File: contracts/proxy/interfaces/IMIMOProxyRegistry.sol 2: pragma solidity ^0.8.4;
The function should revert if the intention is not to receive ether, or add a functionality for the received ether.
File: contracts/proxy/MIMOProxy.sol 38: receive() external payable {}
https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxy.sol#L38
🌟 Selected for report: Dravee
Also found by: 0x040, 0x1f8b, 0xDjango, 0xNazgul, 0xSmartContract, 0xc0ffEE, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, Fitraldys, Funen, IllIllI, JC, JohnSmith, NoamYakov, ReyAdmirado, Rolezn, TomJ, Waze, ajtra, bearonbike, bobirichman, brgltd, c3phas, durianSausage, fatherOfBlocks, gogo, ignacio, jag, joestakey, ladboy233, mics, oyc_109, rbserver, samruna, sikorico, simon135
39.2722 USDC - $39.27
File: contracts/libraries/Errors.sol 11: string public constant INVALID_AGGREGATOR = "1";
https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/libraries/Errors.sol
File: contracts/actions/MIMOSwap.sol 47: require(proxy != address(0), Errors.INVALID_AGGREGATOR); 48: require(router != address(0), Errors.INVALID_AGGREGATOR);
https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOSwap.sol
Modifying FlashLoanData and params from memory to calldata will save gas, even if the function is internal.
File: contracts/actions/MIMOFlashloan.sol 51: function _takeFlashLoan(FlashLoanData memory flData, bytes memory params) internal {
https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOFlashloan.sol
If needed, the values can be inspected on the souce code.
File: contracts/proxy/MIMOProxyFactory.sol uint256 public constant override VERSION = 1;
https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxyFactory.sol