Platform: Code4rena
Start Date: 03/11/2022
Pot Size: $115,500 USDC
Total HM: 17
Participants: 120
Period: 7 days
Judge: LSDan
Total Solo HM: 1
Id: 174
League: ETH
Rank: 73/120
Findings: 1
Award: $61.35
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0xNazgul, 0xRoxas, 0xSmartContract, Awesome, Aymen0909, B2, BClabs, Bnke0x0, Deekshith99, Deivitto, Diana, Dinesh11G, Funen, HE1M, HardlyCodeMan, Josiah, Nyx, Rahoz, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Saintcode_, TomJ, Trust, __141345__, a12jmx, adriro, ajtra, aphak5010, apostle0x01, brgltd, btk, bulej93, c3phas, carlitox477, catwhiskeys, ch0bu, chaduke, chrisdior4, cryptonue, cryptostellar5, csanuragjain, ctf_sec, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, i_got_hacked, immeas, joestakey, jumpdest7d, lukris02, martin, mcwildy, merlin, minhquanym, oyc_109, pashov, peanuts, pedr02b2, rbserver, rotcivegaf, rvierdiiev, sakman, saneryee, seyni, shark, slowmoses, tnevler, trustindistrust, w0Lfrum, yurahod, zaskoh
61.3462 USDC - $61.35
Contract: SpigotedLineLib.sol#L131
Function: trade
Issue:
POC:
trade function was called with amount as X+A and zeroExTradeData has swap amount as X
This causes contract to send amount X+A to 0x contract. Since zeroExTradeData only mention swap of X amount so only X amount is swapped and returned to our contract. Remaining amount A is locked in 0x contract
Recommendation: Update the documentation to make user aware about such risks
Contract: ModuleFactory.sol#L28
Function: deployEscrow
Issue: As per IModuleFactory.sol#L12 the third param in DeployedEscrow should be oracle and not borrower
Recommendation: Kindly revise the deployEscrow function as shown below:
emit DeployedEscrow(module, minCRatio, oracle, owner);
#0 - c4-judge
2022-12-06T20:52:38Z
dmvt marked the issue as grade-b