Platform: Code4rena
Start Date: 30/11/2021
Pot Size: $30,000 USDC
Total HM: 0
Participants: 21
Period: 3 days
Judge: pauliax
Id: 63
League: ETH
Rank: 2/21
Findings: 2
Award: $6,557.61
π Selected for report: 2
π Solo Findings: 0
π Selected for report: danb
3272.101 USDC - $3,272.10
danb
oracle.pcvStats returns newProtocolEquity as int256, it is then casted to uint256 in recalculate. If it is possible that newProtocolEquity will be negative, consider using SafeCast instead.
#0 - pauliax
2021-12-07T18:55:37Z
Valid finding, better utilize safe casts.
13.4097 USDC - $13.41
danb
change: token1.transferFrom(address(this), target, amount) to: token1.transfer(target, amount) It consumes less gas.
#0 - elee1766
2021-12-06T04:52:02Z
#104
#1 - pauliax
2021-12-10T16:01:26Z
A duplicate of #104
π Selected for report: danb
3272.101 USDC - $3,272.10
danb
in the first call to requery, If the oracle returns newProtocolEquity = 0, it can never be changed and would lead to denial of service of the system.
In requery, init is checked to be false if newProtocolEquity = 0, and then set to true. so if it is already initialized and newProtocolEquity = 0, it wouldn't change anything
manual review
#0 - elee1766
2021-12-06T03:45:20Z
arguable reasoning but valid conclusion
oracle assumed to be functional for scope of audit. will still fix though. Since oracle may be queried before votes, issue is not that great and one just needs to redeploy
#1 - pauliax
2021-12-07T19:05:11Z
The severity is low, as this is unlikely to happen in practice and even if that happens, the mitigation is not that hard.