Back to cryptphi's contests

Swivel v3 contest - cryptphi's results

The Capital-Efficient Protocol For Fixed-Rate Lending.

General Information

Platform: Code4rena

Start Date: 12/07/2022

Pot Size: $35,000 USDC

Total HM: 13

Participants: 78

Period: 3 days

Judge: 0xean

Total Solo HM: 6

Id: 135

League: ETH

Swivel

Findings Distribution

Researcher Performance

Rank: 57/78

Findings: 1

Award: $44.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySwivel

Findings Information

🌟 Selected for report: joestakey

Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 8olidity, Avci, Bahurum, Bnke0x0, Chom, ElKu, Funen, GimelSec, JC, Junnon, Kaiziron, Meera, PaludoX0, Picodes, ReyAdmirado, Sm4rty, Soosh, Waze, _Adam, __141345__, ak1, aysha, benbaessler, bin2chen, c3phas, cccz, cryptphi, csanuragjain, defsec, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, itsmeSTYJ, jonatascm, kyteg, mektigboy, oyc_109, pashov, rbserver, rishabh, robee, rokinot, sach1r0, sashik_eth, scaraven, simon135, slywaters

Awards

44.7798 USDC - $44.78

Labels

bug
QA (Quality Assurance)
wontfix

External Links

Link to GitHub issue
  1. Tautology or contradiction The following expressions below are tautology;

As seen IYearn.deposit() returns uint256 hence IYearn(c).deposit(a) >= 0 will always be true https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L712

IErc4626.deposit() returns uint256 , hence IErc4626(c).deposit(a, address(this)) >= 0 will always be true. https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L727

IYearn.withdraw() returns uint256 hence IYearn(c).withdraw(a) >= 0 will always be true https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L745

IAave.withdraw() returns uint256 hence IAave(aaveAddr).withdraw(u, a, address(this)) >= 0 will always be true https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L749

IErc4626.withdraw() returns uint256 , hence IErc4626(c).withdraw(a, address(this), address(this)) >= 0 will always be true. https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L757

  1. Missing events and emit The following functions are missing emits and/or events for their operations which could be useful in third-party monitoring. Swivel.setAdmin() - https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L428-L432

  2. Missing zero address check The following functions have missing zero address check for the corresponding parameter

Swivel.setAdmin() - https://github.com/code-423n4/2022-07-swivel/blob/main/Swivel/Swivel.sol#L428-L432 MarketPlace.constructor() - https://github.com/code-423n4/2022-07-swivel/blob/main/Marketplace/MarketPlace.sol#L38-L40 MarketPlace.setSwivel() - https://github.com/code-423n4/2022-07-swivel/blob/main/Marketplace/MarketPlace.sol#L45 MarketPlace.setAdmin() - https://github.com/code-423n4/2022-07-swivel/blob/main/Marketplace/MarketPlace.sol#L53

#0 - robrobbins

2022-08-11T00:38:41Z

  1. took a look. it's not tautology or contradiction. it's simply casting any returned uint as a truthy boolean, which is what we want. this normalizes those with the compound (==0) and Euler (void method, hard coded true). this is all in the "revert or return true" pattern a la ERC20 txs.
  2. discussed. no.
  3. no
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter