Platform: Code4rena
Start Date: 21/11/2022
Pot Size: $90,500 USDC
Total HM: 18
Participants: 101
Period: 7 days
Judge: Picodes
Total Solo HM: 4
Id: 183
League: ETH
Rank: 69/101
Findings: 1
Award: $53.49
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0xAgro, 0xNazgul, 0xPanda, 0xbepresent, 0xfuje, Awesome, B2, Bnke0x0, Deivitto, Diana, Funen, Jeiwan, JohnSmith, Josiah, R2, RaymondFam, Rolezn, Sathish9098, Waze, adriro, aphak5010, brgltd, btk, carrotsmuggler, ch0bu, chaduke, codeislight, codexploder, cryptostellar5, csanuragjain, danyams, datapunk, delfin454000, deliriusz, eierina, erictee, fatherOfBlocks, gz627, gzeon, hansfriese, hihen, jadezti, joestakey, keccak123, martin, nameruse, oyc_109, pedr02b2, perseverancesuccess, rbserver, rotcivegaf, rvierdiiev, sakshamguruji, shark, simon135, subtle77, unforgiven, xiaoming90, yixxas
53.4851 USDC - $53.49
require rather than assertOn failure, the assert function causes a Panic error and, unlike require, does not generate an error string. According to Solidity v0.8.17, "properly functioning code should never create a Panic."
assert(feeAmount + postFeeAmount == assets);
return variable not used when a function returnsThe named return variable wethAmountIn is never used
function compound( uint256 minUsdgAmount, uint256 minGlpAmount, bool optOutIncentive ) external returns ( uint256 wethAmountIn, uint256 pxGmxAmountOut, uint256 pxGlpAmountOut, uint256 totalPxGlpFee, uint256 totalPxGmxFee, uint256 pxGlpIncentive, uint256 pxGmxIncentive );
Comments that refer to open items should be addressed and modified or removed.
// This may not be necessary and is more of a hedge against a discrepancy between // the actual rewards and the calculated amounts. Needs further consideration
import {PirexERC4626} from "src/vaults/PirexERC4626.sol"; import {PxGmxReward} from "src/vaults/PxGmxReward.sol"; import {SafeTransferLib} from "solmate/utils/SafeTransferLib.sol"; import {ReentrancyGuard} from "solmate/utils/ReentrancyGuard.sol"; import {SafeTransferLib} from "solmate/utils/SafeTransferLib.sol"; import {FixedPointMathLib} from "solmate/utils/FixedPointMathLib.sol"; import {ERC20} from "solmate/tokens/ERC20.sol"; import {PirexGmx} from "src/PirexGmx.sol"; import {PirexRewards} from "src/PirexRewards.sol";
Recommendation: Remove duplicate import SafeTransferLib.sol
indexed fieldsEach event should use three indexed fields if there are three or more fields
event DistributeFees( ERC20 indexed token, uint256 distribution, uint256 treasuryDistribution, uint256 contributorsDistribution );
Similarly, three indexed fields are required for the following events:
@param statement for constructorMost of the constructors in Redacted Cartel include @param statements, where appropriate. For consistency, all constructors should incorporate them. The constructor below is missing @params:
constructor( ERC20 _asset, string memory _name, string memory _symbol ) ERC20(_name, _symbol, _asset.decimals()) { asset = _asset; }
Missing: @param _asset, @param _name and @param _symbol
@return is missing for some functionsA couple of functions have complete NatSpec, with the exception of missing @return statements:
/** @notice Override transfer method to allow for pre-transfer internal hook @param to address Account receiving apxGLP @param amount uint256 Amount of apxGLP */ function transfer(address to, uint256 amount) public override returns (bool)
/** @notice Override transferFrom method to allow for pre-transfer internal hook @param from address Account sending apxGLP @param to address Account receiving apxGLP @param amount uint256 Amount of apxGLP */ function transferFrom( address from, address to, uint256 amount ) public override returns (bool) {
functionsNatSpec is completely missing for some public or external functions. Note that NatSpec is required for public or external functions but not for private or internal ones.
function withdraw( uint256 assets, address receiver, address owner ) public override returns (uint256 shares) {
NatSpec statements are similarly wholly or mostly missing (a couple include @notice statements) for the following public or external functions:
Terms incorporating "black," "white," "slave" or "master" are potentially problematic. Substituting more neutral terminology is becoming common practice.
if (!gmxVault.whitelistedTokens(token)) revert InvalidToken(token);
Suggestion: Change whitelistedTokens to allowlistedTokens
Similarly, change whitelist to allowlist in the following instances of whitelist and its variants:
#0 - c4-judge
2022-12-04T20:41:07Z
Picodes marked the issue as grade-b