Back to dipp's contests

Fraxlend (Frax Finance) contest - dipp's results

Fraxlend: A permissionless lending platform and the final piece of the Frax Finance Defi Trinity.

General Information

Platform: Code4rena

Start Date: 12/08/2022

Pot Size: $50,000 USDC

Total HM: 15

Participants: 120

Period: 5 days

Judge: Justin Goro

Total Solo HM: 6

Id: 153

League: ETH

Frax Finance

Findings Distribution

Researcher Performance

Rank: 86/120

Findings: 1

Award: $45.83

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFrax Finance

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xSmartContract, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, EthLedger, Funen, IllIllI, JC, Junnon, Lambda, LeoS, MiloTruck, Noah3o6, PaludoX0, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, SaharAP, Sm4rty, SooYa, The_GUILD, TomJ, Waze, Yiko, _Adam, __141345__, a12jmx, ak1, asutorufos, auditor0517, ayeslick, ballx, beelzebufo, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, cccz, cryptonue, cryptphi, d3e4, delfin454000, dipp, djxploit, durianSausage, dy, erictee, fatherOfBlocks, gogo, gzeon, hyh, ignacio, kyteg, ladboy233, medikko, mics, minhquanym, oyc_109, pfapostol, rbserver, reassor, ret2basic, robee, sach1r0, simon135, sryysryy, tabish, yac, yash90, zzzitron

Awards

45.8341 USDC - $45.83

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

1. State variables should be checked when set

Line References

FraxlendPairCore.sol#L151-L237

Description

The liquidation fee for pair contracts should have a cap to prevent deployers mistakenly setting a fee too high. Consider capping the liquidation fee in the constructor of the FraxlendPairCore.sol contract.

The oracleNormalization variable should be more than 0 since this would cause the _updateExchangeRate function to revert, breaking core functionality of the contract.

maturityDate should be at least >= block.timestamp.

2. leveragePosition and repayAssetWithCollateral may not work correctly if asset's approve logic is not supported

Line References

FraxlendPairCore.sol#L1103

FraxlendPairCore.sol#L1184

Description

Some tokens, such as USDT, have non-standard implementations of the approve function. Before an approval is updated, it must first be set to 0.

Impact

The leveragePosition and the repayAssetWithCollateral functions will not function until the approval to the _swapperAddress is set to 0. Since the funtions may be called with a 0 value input, the approval to the _swapperAddress could be set to 0, however some users might not be aware.

Consider setting the approval of the _swapperAddress to 0 before setting a new approval amount.

#0 - gititGoro

2022-10-06T22:00:58Z

both issues out of scope.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter