Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 95/101
Findings: 1
Award: $33.58
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
33.5761 USDC - $33.58
In the contracts, floating pragmas should not be used. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
// SPDX-License-Identifier: GPL-3.0-or-later pragma solidity ^0.8.4;
// SPDX-License-Identifier: GPL-3.0-or-later pragma solidity ^0.8.4;
Missing @params
/// @notice base used to compute the redemption amounts. /// For instance, if the base is 100, and a user provides 100 `redeemedToken`, /// they will receive all the balances of each `tokensReceived` held on this contract. uint256 public redeemBase; constructor( address _redeemedToken, address[] memory _tokensReceived, uint256 _redeemBase ) { redeemedToken = _redeemedToken; tokensReceived = _tokensReceived; redeemBase = _redeemBase; }
/// @notice Return the balances of `tokensReceived` that would be /// transferred if redeeming `amountIn` of `redeemedToken`. function previewRedeem(uint256 amountIn) public view returns (address[] memory tokens, uint256[] memory amountsOut)
/// @notice Redeem `redeemedToken` for a pro-rata basket of `tokensReceived` function redeem(address to, uint256 amountIn) external nonReentrant { IERC20(redeemedToken).safeTransferFrom(msg.sender, address(this), amountIn);
MerkleRedeemerDripper.sol#L7-L16
/// @notice Drips ERC20 tokens to the RariMerkleRedeemer contract /// @author kryptoklob contract MerkleRedeemerDripper is ERC20Dripper { constructor( address _core, address _target, uint256 _dripPeriod, uint256 _amountToDrip, address _token ) ERC20Dripper(_core, _target, _dripPeriod, _amountToDrip, _token) {}
All the Functions in RariMerkleRedeemer.sol have missing @param
All the Functions in RariMerkleRedeemer.sol have missing @notice
Constants should be named with all capital letters with underscores separating words.
- address public constant balanceReportedIn = address(DAI); + address public constant BALANCE_REPORTED_IN = address(DAI);
- uint256 public constant mintFeeBasisPoints = 0; - uint256 public constant redeemFeeBasisPoints = 0; - address public constant underlyingToken = address(DAI); - uint256 public constant getMaxMintAmountOut = type(uint256).max; - bool public constant paused = false; - bool public constant redeemPaused = false; - bool public constant mintPaused = false; + uint256 public constant MINT_FEE_BASIS_POINTS = 0; + uint256 public constant REDEEM_FEE_BASIS_POINTS = 0; + address public constant UNDERLYING_TOKEN = address(DAI); + uint256 public constant GET_MAX_MINT_AMOUNT_OUT = type(uint256).max; + bool public constant PAUSED = false; + bool public constant REDEEM_PAUSED = false; + bool public constant MINT_PAUSED = false;
When deploying contracts, you should use the latest released version of Solidity. Apart from exceptional cases, only the latest version receives security fixes. Furthermore, breaking changes as well as new features are introduced regularly. Latest Version is 0.8.17
pragma solidity ^0.8.4;
pragma solidity ^0.8.4;
pragma solidity =0.8.10;
pragma solidity =0.8.10;
Functions should be grouped according to their visibility and ordered.
In TribeRedeemer.sol , the correct order of functions according visibility should be
function redeem(address to, uint256 amountIn) external nonReentrant function tokensReceivedOnRedeem() public view returns (address[] memory) function previewRedeem(uint256 amountIn) public view returns (address[] memory tokens, uint256[] memory amountsOut)
- uint256 public constant mintFeeBasisPoints = 0; + uint256 public constant mintFeeBasisPoints; - uint256 public constant redeemFeeBasisPoints = 0; + uint256 public constant redeemFeeBasisPoints;
for (uint256 i = 0; i < tokensReceived.length; i++)
for (uint256 i = 0; i < tokens.length; i++)
for (uint256 i = 0; i < _cTokens.length; i++)
for (uint256 i = 0; i < _cTokens.length; i++)
for (uint256 i = 0; i < _cTokens.length; i++)
for (uint256 i = 0; i < cTokens.length; i++)
for (uint256 i = 0; i < cTokens.length; i++)