Platform: Code4rena
Start Date: 01/08/2022
Pot Size: $50,000 USDC
Total HM: 26
Participants: 133
Period: 5 days
Judge: Jack the Pug
Total Solo HM: 6
Id: 151
League: ETH
Rank: 49/133
Findings: 2
Award: $90.31
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MiloTruck
Also found by: 0x52, 8olidity, Ruhum, __141345__, cccz, codexploder, cryptonue, hansfriese, sseefried
There is no higher cap limit on lenderFee which allows Admin to set this to abrupt high values. The impact will be seen at lendToProject , where most of funds for project will move to lender fee
function replaceLenderFee(uint256 _newLenderFee) external override onlyAdmin { // Revert if no change in lender fee require(lenderFee != _newLenderFee, "HomeFi::!Change"); // Reset variables lenderFee = _newLenderFee; emit LenderFeeReplaced(_newLenderFee); }
As we can see that "lenderFee " is directly assigned the passed in value of "_newLenderFee" without any max value check
This directly impacts lendToProject as _amountToProject will be calculated after deducting _lenderFee. This _lenderFee will move to treasury which is controlled by Admin
function lendToProject( uint256 _communityID, address _project, uint256 _lendingAmount, bytes calldata _hash ) external virtual override nonReentrant whenNotPaused isPublishedToCommunity(_communityID, _project) { .... uint256 _lenderFee = (_lendingAmount * _projectInstance.lenderFee()) / (_projectInstance.lenderFee() + 1000); // Calculate amount going to project. Lending amount - lending fee. uint256 _amountToProject = _lendingAmount - _lenderFee; .... }
Keep a max cap for lenderFee which will prevent any abrupt value being set by Admin
#0 - horsefacts
2022-08-06T21:53:03Z
Duplicate of https://github.com/code-423n4/2022-08-rigor-findings/issues/252 (lender can extract 100% fee)
🌟 Selected for report: Lambda
Also found by: 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xNineDec, 0xSmartContract, 0xSolus, 0xf15ers, 0xkatana, 0xsolstars, 8olidity, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Funen, GalloDaSballo, Guardian, IllIllI, JC, Jujic, MEP, Noah3o6, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, Soosh, Throne6g, TomJ, Tomio, TrungOre, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, arcoun, asutorufos, ayeslick, benbaessler, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, codexploder, cryptonue, cryptphi, defsec, delfin454000, dipp, djxploit, erictee, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hyh, ignacio, indijanc, joestakey, kaden, mics, minhquanym, neumo, obront, oyc_109, p_crypt0, pfapostol, poirots, rbserver, robee, rokinot, rotcivegaf, sach1r0, saian, samruna, saneryee, scaraven, sikorico, simon135, sseefried, supernova
40.621 USDC - $40.62
Contract: Disputes
Issue: In case signature provided is invalid, SignatureDecoder.recoverKey will return with 0 address. The function still process this 0 address and creates a new dispute with 0 address owner
Recommendation: Kindly add below check:
function raiseDispute(bytes calldata _data, bytes calldata _signature) external override onlyProject { // Recover signer from signature address _signer = SignatureDecoder.recoverKey( keccak256(_data), _signature, 0 ); require(_signer != address(0), "Incorrect signature"); }
Contract: Disputes
Issue: It seems that user can call the initialize function before owner has chance to do the same. This will initialize the homeFi variable incorrectly. Although this is not serious as Owner can immediately discard this contract but would be good to restrict this function
Recommendation: Kindly allow only owner/deployer to call this function