Platform: Code4rena
Start Date: 07/09/2022
Pot Size: $20,000 CANTO
Total HM: 7
Participants: 65
Period: 1 day
Judge: 0xean
Total Solo HM: 3
Id: 159
League: ETH
Rank: 41/65
Findings: 1
Award: $39.22
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: lukris02
Also found by: 0x040, 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xSky, Bnke0x0, Bronicle, CertoraInc, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, EthLedger, IgnacioB, JC, JansenC, Jeiwan, R2, RaymondFam, ReyAdmirado, Rolezn, SinceJuly, TomJ, Tomo, Yiko, a12jmx, ajtra, ak1, codexploder, cryptphi, csanuragjain, erictee, fatherOfBlocks, gogo, hake, hansfriese, hickuphh3, ignacio, ontofractal, oyc_109, p_crypt0, pashov, peritoflores, rajatbeladiya, rbserver, rokinot, rvierdiiev, tnevler
242.8216 CANTO - $39.22
Contract: https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-core.sol#L99
Issue: In setPeriodSize function, there is no check to validate that new periodSize_>0 which can lead to allowing frequent price updation via _update function
Recommendation:
require(periodSize_>0, "Incorrect period size");
Contract: https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-core.sol#L555
Issue: In setAdmin function, zero address check is missing for admin
Recommendation: Check for zero address missing Same goes for skim/burn/mint function
Contract: https://github.com/code-423n4/2022-09-canto/blob/main/src/Swap/BaseV1-periphery.sol#L289
Issue: removeLiquidity function along with many swap function are missing checks to see if pair actually exists. These functions are moving forward with a pair which does not exist and process user funds and even try to remove liquidity from these pairs
Recommendation: Check whether pair actually exists using isPair function from BaseV1 Factory