Platform: Code4rena
Start Date: 01/07/2022
Pot Size: $75,000 USDC
Total HM: 17
Participants: 105
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 5
Id: 143
League: ETH
Rank: 20/105
Findings: 5
Award: $713.69
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xNineDec
Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xdanial, 0xf15ers, Cheeezzyyyy, Chom, Franfran, GalloDaSballo, Green, IllIllI, Meera, Ruhum, bardamu, cccz, codexploder, defsec, hake, hansfriese, horsefacts, hubble, hyh, jonatascm, kebabsec, oyc_109, pashov, rbserver, simon135, tabish, tintin, zzzitron
14.8726 USDC - $14.87
https://etherscan.io/address/0x729eE70bfdF65bEc7A530Fd49F644d07D0b2c087#L42 https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5#L1
latestRoundData misses proper validation and is used actively in ethereum mainnet address at 0x729eE70bfdF65bEc7A530Fd49F644d07D0b2c087
function currentPrice(uint256 _decimals) external view override returns (uint256) { // Get the latest round information. Only need the price is needed. (, int256 _price, , , ) = feed.latestRoundData(); // Get a reference to the number of decimals the feed uses. uint256 _feedDecimals = feed.decimals(); // Return the price, adjusted to the target decimals. return uint256(_price).adjustDecimals(_feedDecimals, _decimals); }
Change the function to:
(uint80 round, int256 _price, , uint256 latestTimestamp, uint80 answeredInRound) = feed.latestRoundData(); require(_price> 0, "price <= 0"); require(answeredInRound >= round, "Stale price"); require(latestTimestamp != 0, "Round not complete");
#0 - mejango
2022-07-12T17:59:28Z
dup of #138
🌟 Selected for report: horsefacts
Also found by: 0x1f8b, 0x29A, 0x52, 0xf15ers, AlleyCat, Ch_301, Chom, Franfran, IllIllI, Kaiziron, Limbooo, Meera, Ruhum, Sm4rty, apostle0x01, berndartmueller, cccz, cloudjunky, codexploder, cryptphi, delfin454000, durianSausage, fatherOfBlocks, hake, hansfriese, hyh, jonatascm, m_Rassska, oyc_109, peritoflores, rajatbeladiya, rbserver, svskaushik, zzzitron
3.4075 USDC - $3.41
There is no check to verify if the transfer was success or not. User calling _transferFrom will believe that transfer was success even when it has failed
function _transferFrom( address _from, address payable _to, uint256 _amount ) internal override { _from == address(this) ? IERC20(token).transfer(_to, _amount) : IERC20(token).transferFrom(_from, _to, _amount); }
Always check return value of transfer/transferFrom function and revert if they return false
#0 - drgorillamd
2022-07-12T15:43:56Z
duplicate of #281
#1 - jack-the-pug
2022-07-24T01:58:35Z
Duplicate of #242
🌟 Selected for report: bardamu
Also found by: GalloDaSballo, berndartmueller, codexploder, horsefacts
562.6794 USDC - $562.68
There is no way to change existing currency base price feed. In case of any bug identified in current feed address, this contract will need to be stuck in old buggy address
Observe the addFeedFor function
Assume owner added a new feed feedFor[_currency][_base] = _feed;
After some time a new security issue was discovered in _feed address
Owner wants to update the feed so that incorrect prices dont get returned due to security issue
However due to below require condition owner is unable to update _feed
if (feedFor[_currency][_base] != IJBPriceFeed(address(0))) revert PRICE_FEED_ALREADY_EXISTS();
Implement a new function which allows users to modify existing currency base price feed
#0 - mejango
2022-07-12T17:58:35Z
By design. Treasuries can be upgraded to a new feed, but no one has access to rug feeds.
#1 - jack-the-pug
2022-08-07T07:23:50Z
Duplicate of #59
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xdanial, 0xf15ers, Bnke0x0, Ch_301, Chandr, Chom, Funen, GimelSec, Hawkeye, JC, Kaiziron, Lambda, Meera, MiloTruck, Noah3o6, Picodes, ReyAdmirado, Rohan16, Sm4rty, TerrierLover, TomJ, Waze, _Adam, __141345__, asutorufos, aysha, berndartmueller, brgltd, cccz, codexploder, defsec, delfin454000, djxploit, durianSausage, fatherOfBlocks, hake, horsefacts, hubble, jayfromthe13th, joestakey, jonatascm, m_Rassska, oyc_109, pashov, rajatbeladiya, rbserver, robee, sach1r0, sahar, samruna, simon135, svskaushik, zzzitron
94.5013 USDC - $94.50
Function: issueFor
Issue: 2 tokens can have same symbol and name. This means one project can steal the token identity of another project
Recommendation: If a name/symbol pair is already in existence then token should not get created
Function: setMetadataOf
Issue: No check to verify if metadata content or domain is empty
Recommendation: Add a check to see that content is not missing
if (bytes(_metadata.content).length > 0) metadataContentOf[projectId][_metadata.domain] = _metadata.content;
Function: _getStructsFor
Recommendation: // projectId in bits 32-89. should be // projectId in bits 34-89.
Function: _set
Issue: Right now beneficiary of a split can be set to address zero
Recommendation: check _splits[_i].beneficiary is not address(0)
require(_splits[_i].beneficiary!=address(0), "Beneficiary cannot be 0");
Recommendation: Change to // Mint the project into the wallet of the owner.
🌟 Selected for report: 0xA5DF
Also found by: 0v3rf10w, 0x09GTO, 0x1f8b, 0x29A, 0xDjango, 0xKitsune, 0xNazgul, 0xdanial, 0xf15ers, Aymen0909, Bnke0x0, Ch_301, Cheeezzyyyy, Chom, ElKu, Funen, Hawkeye, IllIllI, JC, JohnSmith, Kaiziron, Lambda, Limbooo, Meera, Metatron, MiloTruck, Noah3o6, Picodes, Randyyy, RedOneN, ReyAdmirado, Rohan16, Saintcode_, Sm4rty, TomJ, Tomio, Tutturu, UnusualTurtle, Waze, _Adam, __141345__, ajtra, apostle0x01, asutorufos, brgltd, c3phas, cRat1st0s, codexploder, defsec, delfin454000, djxploit, durianSausage, exd0tpy, fatherOfBlocks, hake, horsefacts, ignacio, jayfromthe13th, joestakey, jonatascm, kaden, kebabsec, m_Rassska, mektigboy, mrpathfindr, oyc_109, rajatbeladiya, rbserver, rfa, robee, sach1r0, sashik_eth, simon135
38.2306 USDC - $38.23
Function: setTerminalsOf
Issue: _j < _terminals.length -1 since j is always running as i+1 which means last interaction of i loop will be _terminals.length -1 at which j should only run uptil _terminals.length -2 since j=i+1
Recommendation: Change loop as below:
for (uint256 _j = _i + 1; _j < _terminals.length-1; _j++)
#0 - drgorillamd
2022-07-13T13:12:54Z
Really nice catch!