Platform: Code4rena
Start Date: 07/04/2023
Pot Size: $47,000 USDC
Total HM: 20
Participants: 120
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 4
Id: 230
League: ETH
Rank: 58/120
Findings: 2
Award: $42.54
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: sashik_eth
Also found by: 0x4non, 0x6980, 0xAgro, Cryptor, Kaysoft, Kenshin, Madalad, SaeedAlipoor01988, Sathish9098, W0RR1O, adriro, ayden, btk, catellatech, codeslide, devscrooge, georgits, giovannidisiena, lukris02, matrix_0wl, sayan, tnevler, tsvetanovv
11.5407 USDC - $11.54
https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L230 https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L231 https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L323 https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L324
For all of the mentioned lines there is a downcasting from uint256 to uint128
The maximum value for a uint128 is (2^128) - 1, this means that if the value that is trying to be casted is greater than (2^128) -1 it will be wrongly trancated.
Manual review
Use uint256 instead of trying to downcast to uint128.
#0 - c4-pre-sort
2023-04-20T18:04:47Z
0xSorryNotSorry marked the issue as duplicate of #625
#1 - c4-judge
2023-04-27T08:54:18Z
GalloDaSballo marked the issue as duplicate of #167
#2 - c4-judge
2023-05-02T07:56:36Z
GalloDaSballo marked the issue as partial-50
#3 - GalloDaSballo
2023-05-02T07:56:39Z
Insufficient description -> 50%
🌟 Selected for report: AkshaySrivastav
Also found by: 0x5rings, 0xbepresent, ABA, Bauchibred, BenRai, DadeKuma, ElKu, RaymondFam, Rolezn, adriro, btk, chaduke, devscrooge, dingo2077, minhtrng, nemveer, p0wd3r, rbserver, ulqiorra
30.9954 USDC - $31.00
Users can make deposits of ERC721, baseTokens, and nativeETH, but the protocol does not track how much each user has deposited.
In the future, if a functionality such as an airdrop requires knowledge of how much each user has deposited on the protocol, it will not be possible to implement it.
Manual review
Include one or more mappings to track the amount of ERC721, baseTokens, or nativeETH each user has deposited.
These functions are used to modify variables that play an important role in the protocol. Changing them directly, without alerting the users of the change, can lead to situations where users are unaware of the modification.
Manual review.
Implement a mechanism that ensures a time period between the submission of the variable change by the owner and the actual modification of these variables.
All the functions inside PrivatePool are implemented for handling both, native ETH and other ERC20 as base tokens but in EthRouter.sol it is said that The only base token which is supported is native ETH.
Manual review.
Consider commenting why other ERC20 tokens are accepted as base tokens or change the implementation of PrivatePool.sol for only allow native ETH as base token.
It is said DO NOT call this function directly unless you know what you are doing. Instead, use a wrapper contract that but these function are from the EthRouter.sol contract here and here without checking the slipagge.
In the case of the sell function, the output amount is tried to be checked here but as anyone can send ETH to the contract using the receive() function, the slippage check is not correctly done.
It can lead to a sell transaction with an unexpected amount of slippage for the user.
Manual review.
Check slippage.
According to EthRouter.sol the only supported native token is native ETH, if the implementation is changed for actually only support native ETH, then the baseToken != address(0) is not necessary here .
Manual review
Change to if (msg.value == 0) revert InvalidEthAmount();
Users can deposit liquidity into a private pool but there is not benefit for doing it. The will earn nothing from providing liquidity to the private pool.
As there is no benefit from depositing liquidity, any user wont do it so the pools will remain with a low liquidity balance.
Manual review
Implement a mechanism for the users that have added liquidity to gain some earnings. For example earning fees from trades on the pool.
#0 - c4-judge
2023-05-01T08:51:08Z
GalloDaSballo marked the issue as grade-c
#1 - c4-judge
2023-05-04T18:32:56Z
GalloDaSballo marked the issue as grade-b