Back to ch0bu's contests

Astaria contest - ch0bu's results

On a mission is to build a highly liquid NFT lending market.

General Information

Platform: Code4rena

Start Date: 05/01/2023

Pot Size: $90,500 USDC

Total HM: 55

Participants: 103

Period: 14 days

Judge: Picodes

Total Solo HM: 18

Id: 202

League: ETH

Astaria

Findings Distribution

Researcher Performance

Rank: 91/103

Findings: 1

Award: $51.32

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAstaria

Findings Information

🌟 Selected for report: ladboy233

Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xbepresent, 0xkato, Aymen0909, CodingNameKiki, Cryptor, Deekshith99, Deivitto, HE1M, IllIllI, Kaysoft, Koolex, PaludoX0, Qeew, RaymondFam, Rolezn, Sathish9098, Tointer, a12jmx, arialblack14, ast3ros, ayeslick, bin2chen, btk, caventa, ch0bu, chaduke, chrisdior4, delfin454000, descharre, evan, fatherOfBlocks, georgits, gz627, jasonxiale, joestakey, kaden, lukris02, nicobevi, nogo, oberon, oyc_109, pfapostol, rbserver, sakshamguruji, seeu, shark, simon135, slvDev, synackrst, tnevler, whilom, zaskoh

Awards

51.3151 USDC - $51.32

Labels

bug
grade-b
QA (Quality Assurance)
Q-51

External Links

Link to GitHub issue

1. File does not contain an SPDX Identifier

https://github.com/code-423n4/2023-01-astaria/blob/main/src/interfaces/IERC721.sol https://github.com/code-423n4/2023-01-astaria/blob/main/src/interfaces/IV3PositionManager.sol https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/interfaces/IWETH9.sol

2. Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.

Reference: This similar medium-severity finding from Consensys Diligence Audit of Fei Protocol: https://consensys.net/diligence/audits/2021/01/fei-protocol/#unchecked-return-value-for-iweth-transfer-call

3. Consider adding checks for signature malleability

SWC-117: "The implementation of a cryptographic signature system in Ethereum contracts often assumes that the signature is unique, but signatures can be altered without the possession of the private key and still be valid. The EVM specification defines several so-called ‘precompiled’ contracts one of them being ecrecover which executes the elliptic curve public key recovery. A malicious user can slightly modify the three values v, r and s to create other valid signatures. A system that performs signature verification on contract level might be susceptible to attacks if the signature is part of the signed message hash. Valid signatures could be created by a malicious user to replay previously signed messages."

Use OpenZeppelin’s ECDSA contract rather than calling ecrecover() directly.

https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC20-Cloned.sol#L121-L141 https://github.com/code-423n4/2023-01-astaria/blob/main/src/VaultImplementation.sol#L246-L257

4. Function order

Functions should be ordered following the Solidity conventions:

"Functions should be grouped according to their visibility and ordered:

  • constructor
  • receive function (if exists)
  • fallback function (if exists)
  • external
  • public
  • internal
  • private"

In a lot of contracts this best practice has not been followed.

5. Avoid nested if statements

For better readability and analysis it is better to avoid nested if blocks.

https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC4626-Cloned.sol#L62-L68 https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L212-L216 https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L438-L446 https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L829-L834 https://github.com/code-423n4/2023-01-astaria/blob/main/src/AstariaRouter.sol#L367-L391 https://github.com/code-423n4/2023-01-astaria/blob/main/src/PublicVault.sol#L159-L165 https://github.com/code-423n4/2023-01-astaria/blob/main/src/PublicVault.sol#L291-L301 https://github.com/code-423n4/2023-01-astaria/blob/main/src/PublicVault.sol#L371-L382 https://github.com/code-423n4/2023-01-astaria/blob/main/src/CollateralToken.sol#L306-L313 https://github.com/code-423n4/2023-01-astaria/blob/main/src/CollateralToken.sol#L563-L582

6. _safeMint() should be used rather than _mint() wherever possible

_mint() is discouraged in favor of _safeMint() which ensures that the recipient is either an EOA or implements IERC721Receiver. Both OpenZeppelin and solmate have versions of this function so that NFTs aren’t lost if they’re minted to contracts that cannot transfer them back out.

https://github.com/code-423n4/2023-01-astaria/blob/main/src/CollateralToken.sol#L588 https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC4626-Cloned.sol#L31 https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC4626-Cloned.sol#L47 https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L455 https://github.com/code-423n4/2023-01-astaria/blob/main/src/PublicVault.sol#L512

#0 - c4-judge

2023-01-26T14:55:18Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter