Platform: Code4rena
Start Date: 10/02/2022
Pot Size: $30,000 USDC
Total HM: 5
Participants: 24
Period: 3 days
Judge: harleythedog
Total Solo HM: 3
Id: 86
League: ETH
Rank: 21/24
Findings: 1
Award: $75.57
π Selected for report: 0
π Solo Findings: 0
π Selected for report: pauliax
Also found by: 0x1f8b, Dravee, GreyArt, Omik, ShippooorDAO, Tomio, bobi, cmichel, csanuragjain, defsec, gzeon, kenta, kenzo, m_smirnova2020, rfa, robee, sirhashalot, ye0lde
75.5694 USDC - $75.57
The latest FeeSplitter code introduced an ETH token address which is supposed to be used for token deposits judging from the getAmountDue comment:
contract FeeSplitter is Ownable, ReentrancyGuard { address private constant ETH = 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE; /// @param _token ERC20 payment token address (or ETH_ADDR) function getAmountDue(address _account, IERC20 _token) public view returns (uint256) {} }
However:
releaseTokens with _token == WETH.receive reverts if not coming from WETH and sendFees is not payableIf ETH should indeed be a valid token, accept it by removing the restriction in receive or making sendFees payable.
There should be a special case in releaseTokens/releaseTokensNoETH for ETH.
function releaseTokens(IERC20[] calldata _tokens) external nonReentrant { uint256 amount; for (uint256 i = 0; i < _tokens.length; i++) { amount = _releaseToken(_msgSender(), _tokens[i]); if (address(_tokens[i]) == ETH) { (bool success, ) = _msgSender().call{ value: amount }(""); require(success, "FS: ETH_TRANFER_ERROR"); } else if ... } }
If ETH should not be used, remove the ETH definition again and fix the comment in getAmount.
#0 - maximebrugel
2022-02-10T16:57:37Z
We are only sending fees with ERC20 (so WETH and not ETH). In the releaseTokens tokens we are unwrapping the WETH to transfer ETH. The nestedFactory is wrapping ETH before sending fees.
But we should remove this variable =>
address private constant ETH = 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE; and change comment.
#1 - harleythedogC4
2022-02-27T15:51:59Z
Since this is simply an issue of a misleading comment and an unused variable, I am downgrading this to low severity.
#2 - harleythedogC4
2022-02-27T21:41:11Z
Upon second thought, this makes more sense to be marked as a gas optimization
#3 - harleythedogC4
2022-03-13T03:28:56Z
My personal judgment: Valid and small-optimization
#4 - harleythedogC4
2022-03-13T06:21:05Z
Now, here is the methodology I used for calculating a score for each gas report. I first assigned each submission to be either small-optimization (1 point), medium-optimization (5 points) or large-optimization (10 points), depending on how useful the optimization is. The score of a gas report is the sum of these points, divided by the maximum number of points achieved by a gas report. This maximum number was 10 points, achieved by #67.
The number of points achieved by this report is 1 points. Thus the final score of this gas report is (1/10)*100 = 10.
#5 - CloudEllie
2022-03-24T15:35:37Z
Since this issue was downgraded to a Gas report, and the warden did not submit a separate Gas report, we've renamed this one to "Gas report" for consistency.
The original title, for the record, was "ETH rewards cannot be received & released from FeeSplitter."