Platform: Code4rena
Start Date: 06/01/2023
Pot Size: $210,500 USDC
Total HM: 27
Participants: 73
Period: 14 days
Judge: 0xean
Total Solo HM: 18
Id: 203
League: ETH
Rank: 47/73
Findings: 1
Award: $121.59
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: CodingNameKiki
Also found by: 0xA5DF, 0xAgro, 0xNazgul, 0xSmartContract, Aymen0909, BRONZEDISC, Bnke0x0, Breeje, Cyfrin, GalloDaSballo, HollaDieWaldfee, IceBear, IllIllI, MyFDsYours, RaymondFam, Ruhum, SaharDevep, Sathish9098, Soosh, Udsen, __141345__, brgltd, btk, carlitox477, chaduke, chrisdior4, cryptonue, delfin454000, descharre, hihen, joestakey, ladboy233, lukris02, luxartvinsec, peanuts, pedr02b2, rotcivegaf, shark, tnevler, yongskiws
121.587 USDC - $121.59
| L-N | Issue |
|---|---|
| [L‑01] | decimals() not part of ERC20 standard in BackingManager |
| [L‑02] | Use of deprecated safeApprove() function |
Total: 2 issues
| N-C | Issue |
|---|---|
| [NC‑01] | Use latest Solidity version |
| [NC‑02] | Use solidity's native units for dealing with time |
| [NC‑03] | Missing NatSpec |
| [NC‑04] | Structs declaration |
| [NC‑05] | Constants should be defined rather than using magic numbers |
| [NC‑06] | Forgot import |
| [NC‑07] | Missing override keyword |
| [NC‑08] | Typos |
Total: 8 issues
BackingManagerIn handoutExcessAssets function, the protocol wants to fetch all surplus asset balances (including collateral and RToken(which decimals are know but now for the collateral))'s decimals. However decimals() is not part of the official ERC20 standard and might fall for tokens that do not implement it. While in practice it is very unlikely, as usually most of the tokens implement it, this should still be considered as a potential issue.
In BackingManager.sol the grantRTokenAllowance() function makes use of safeApprove() two times. OpenZeppelin's safeApprove implementation is deprecated. Using this deprecated function can lead to unintended reverts and potentially the locking of funds.
Use latest Solidity version to get all compiler features, bugfixes and optimizations
Solidity provides some native units for dealing with time. We can use the following units: seconds, minutes, hours, days, weeks and years. These units will convert to a uint of the number of seconds in that specific length of time.
File: BackingManager.sol, Furnace.sol, StRSR.sol and Broker.sol
uint48 public constant MAX_TRADING_DELAY = 31536000; // {s} 1 year
uint48 public constant MAX_PERIOD = 31536000; // {s} 1 year
uint48 public constant MAX_UNSTAKING_DELAY = 31536000; // {s} 1 year uint48 public constant MAX_REWARD_PERIOD = 31536000; // {s} 1 year
uint48 public constant MAX_AUCTION_LENGTH = 604800; // {s} max valid duration - 1 week
Lines of code:
NatSpec documentation is essential for better understanding of the code by developers and auditors and is strongly recommended. Most of the functions in the contract are missing only a couple of params and returns documented. Consider adding natspec documentation for all the code.
It is a best practice to be declared in the interface not in the implementation contract.
Files: BasketHandler.sol, Distributor.sol, RToken.sol, StRSRVotes.sol
Files: BasketHandler.sol and Distributor.sol
uint256 shiftDelta = rawDelta + (FIX_ONE / 2);
require(share.rsrDist <= 10000, "RSR distribution too high"); require(share.rTokenDist <= 10000, "RToken distribution too high");
Lines of code:
In RevenueTrader, IRevenueTrader is inherited but not imported, add an import statement
Functions in the contracts are missing the override keyword although they are inheriting their interfaces where the functions are described.
Mointain -> Maintain in BackingManager.sol
setPrimeBakset -> setPrimeBasket in BasketHandler.sol
interepreted -> interpreted in BasketHandler.sol
adjaacent -> adjacent in RToken.sol
#0 - c4-judge
2023-01-25T00:13:06Z
0xean marked the issue as grade-b