Fraxlend (Frax Finance) contest - cryptphi's results

Fraxlend: A permissionless lending platform and the final piece of the Frax Finance Defi Trinity.

General Information

Platform: Code4rena

Start Date: 12/08/2022

Pot Size: $50,000 USDC

Total HM: 15

Participants: 120

Period: 5 days

Judge: Justin Goro

Total Solo HM: 6

Id: 153

League: ETH

Frax Finance

Findings Distribution

Researcher Performance

Rank: 14/120

Findings: 2

Award: $507.96

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Frax Finance

Findings Information

🌟 Selected for report: 0x52

Also found by: Lambda, berndartmueller, cryptphi

Labels

bug

duplicate

2 (Med Risk)

Awards

462.1238 USDC - $462.12

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#L717 https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPair.sol#L120-L150

Vulnerability details

Impact

_totalBorrow.toShares() in FraxlendPairCore.withdraw() rounds Up instead of round down.

previewDeposit() in FraxlendPair.sol

maxDeposit() in FraxlendPair.sol is meant to have a view stateMutability and not pure. - https://eips.ethereum.org/EIPS/eip-4626#maxDeposit

maxMint() in FraxlendPair.sol is meant to have a view stateMutability and not pure. - https://eips.ethereum.org/EIPS/eip-4626#maxMint

previewMint() in FraxlendPair.sol

previewWithdraw() in FraxlendPair.sol

Tools Used

Manual review

Recommended Mitigation Steps

Functions should align as documented in EIP 4626 , for example maxMint() should be a view function instead.

#0 - amirnader-ghazvini
2022-08-29T18:43:42Z

Duplicate of #79

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xSmartContract, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, EthLedger, Funen, IllIllI, JC, Junnon, Lambda, LeoS, MiloTruck, Noah3o6, PaludoX0, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, SaharAP, Sm4rty, SooYa, The_GUILD, TomJ, Waze, Yiko, _Adam, __141345__, a12jmx, ak1, asutorufos, auditor0517, ayeslick, ballx, beelzebufo, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, cccz, cryptonue, cryptphi, d3e4, delfin454000, dipp, djxploit, durianSausage, dy, erictee, fatherOfBlocks, gogo, gzeon, hyh, ignacio, kyteg, ladboy233, medikko, mics, minhquanym, oyc_109, pfapostol, rbserver, reassor, ret2basic, robee, sach1r0, simon135, sryysryy, tabish, yac, yash90, zzzitron

Awards

45.8358 USDC - $45.84

Labels

bug

low quality report

QA (Quality Assurance)

edited-by-warden

External Links

Link to GitHub issue

FraxlendPairCore should inherit IFraxlendPair FraxlendPairCore contract does not import and inherit functions that it makes use of which are defined in IFraxlendPair contract
Missing zero address check FraxlendPairDeployer.constructor() has no zero address check for the following params - _circuitBreaker, _comptroller, _timelock , _fraxlendWhitelist

Fraxlend (Frax Finance) contest - cryptphi's results

Fraxlend: A permissionless lending platform and the final piece of the Frax Finance Defi Trinity.

General Information

Findings Distribution

Researcher Performance

External Links

[M-09] somefunctions in FraxlendPairCore and FraxlendPair contracts do not conform with EIP 4626 - $462.12

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Tools Used

Recommended Mitigation Steps

#0 - amirnader-ghazvini2022-08-29T18:43:42Z

[Q-31] QA Report - $45.84

Findings Information

Awards

Labels

External Links

#0 - amirnader-ghazvini
2022-08-29T18:43:42Z