Back to cylzxje's contests

Inverse Finance contest - cylzxje's results

Rethink the way you borrow.

General Information

Platform: Code4rena

Start Date: 25/10/2022

Pot Size: $50,000 USDC

Total HM: 18

Participants: 127

Period: 5 days

Judge: 0xean

Total Solo HM: 9

Id: 175

League: ETH

Inverse Finance

Findings Distribution

Researcher Performance

Rank: 80/127

Findings: 1

Award: $36.73

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryInverse Finance

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: 0xNazgul, 0xSmartContract, Aymen0909, B2, Bnke0x0, Deivitto, Diana, Dinesh11G, ElKu, JC, Josiah, Rahoz, RaymondFam, ReyAdmirado, Rolezn, Waze, __141345__, adriro, aphak5010, brgltd, c3phas, c7e7eff, carlitox477, cducrest, ch0bu, chrisdior4, cryptonue, cryptostellar5, cylzxje, d3e4, delfin454000, enckrish, evmwanderer, fatherOfBlocks, gogo, hansfriese, horsefacts, immeas, leosathya, lukris02, neumo, oyc_109, pedr02b2, rbserver, robee, rotcivegaf, rvierdiiev, sakshamguruji, shark, simon135, tnevler, trustindistrust, wagmi

Awards

36.7345 USDC - $36.73

Labels

bug
QA (Quality Assurance)
grade-b
Q-50

External Links

Link to GitHub issue
Low risk:
[L-01] Missing address(0) checks for these inputs
[L-02] liquidationFeeBps is not initialized
[L-03] Important function like setGov() should be a 2 step procedure + Timelock
Non-critical:
[N-01] Internal functions should have _ prefix
[N-02] Use UPPERCASE for constant variable

Low risk:

[L-01] Missing address(0) checks for these inputs

In constructor: src/Market.sol

src/DBR.sol

src/Fed.sol

src/Oracle.so

src/BorrowController.sol

address _gov,
address _lender,
address _pauseGuardian,
address _escrowImplementation,

address _operator

address _operator

address _operator

address _operator

Recommend adding address(0) checks

[L-02] liquidationFeeBps is not initialized

This storage variable is not initialized in the constructor. This leads to liquidate() will revert if it isn't set due to operation errors, ....

https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L383

Recommend initializing liquidationFeeBps in the constructor

[L-03] Important function like setGov() should be a 2 step procedure + Timelock

If there's any operation error that set gov wrong will damage for the protocol.

https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L130

Recommend adding 2 step procedure: register gov as pending and a transaction from gov to confirm pending gov to be gov. Perhaps combine with some kind of Timelock will make it more robust

Non-critical:

[N-01] Internal functions should have _ prefix

Styling information

Recommend adding _ prefix to all internal function

[N-02] Internal functions should have _ prefix

https://github.com/code-423n4/2022-10-inverse/blob/main/src/DBR.sol#L13

Recommend changing to UPPERCASE:

uint8 public constant DECIMALS = 18;

#0 - c4-judge

2022-11-08T00:42:35Z

0xean marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter