Back to ellahi's contests

Phuture Finance contest - ellahi's results

Crypto index platform, that simplifies your investments through automated, themed index products.

General Information

Platform: Code4rena

Start Date: 19/04/2022

Pot Size: $30,000 USDC

Total HM: 10

Participants: 43

Period: 3 days

Judges: moose-code, JasoonS

Total Solo HM: 7

Id: 90

League: ETH

Phuture Finance

Findings Distribution

Researcher Performance

Rank: 22/43

Findings: 2

Award: $101.53

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPhuture Finance

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0xDjango, 0xkatana, Dravee, Kenshin, Tadashi, TerrierLover, abhinavmir, defsec, ellahi, fatima_naz, foobar, gzeon, hyh, joestakey, kebabsec, kenta, minhquanym, oyc_109, rayn, robee, sseefried, xpriment626, z3s

Awards

62.9884 USDC - $62.99

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Low

1. Unsafe ERC20 Operations

Proof of Concept
  phuture/IndexLogic.sol::139 => vToken.transfer(address(vToken), accountBalance);
  phuture/vToken.sol::210 => _NAV.transfer(_from, _to, _amount);
Recommendation

Use openzeppelin's safeTransfer() function.

Tools used

c4udit.

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0xDjango, 0xNazgul, 0xkatana, Dravee, Kenshin, MaratCerby, Tadashi, TerrierLover, Tomio, TrungOre, defsec, ellahi, fatherOfBlocks, fatima_naz, gzeon, joestakey, kenta, minhquanym, oyc_109, rayn, rfa, robee, simon135, slywaters, windhustler, z3s

Awards

38.5445 USDC - $38.54

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

1. Don't Initialize Variables with Default Value

Proof of Concept
  phuture/UniswapV2PathPriceOracle.sol::34 => for (uint i = 0; i < path.length - 1; i++) {
  phuture/UniswapV2PathPriceOracle.sol::49 => for (uint i = 0; i < path.length - 1; i++) {

2. Cache Array Length Outside of Loop

Proof of Concept
  phuture/BaseIndex.sol::78 => for (uint i; i < _assets.length; ++i) {
  phuture/IndexLogic.sol::39 => for (uint i; i < assets.length(); ++i) {
  phuture/IndexLogic.sol::60 => for (uint i; i < inactiveAssets.length(); ++i) {
  phuture/IndexLogic.sol::102 => for (uint i; i < length; ++i) {
  phuture/IndexLogic.sol::125 => for (uint i; i < length + inactiveAssets.length(); ++i) {
  phuture/ManagedIndex.sol::30 => for (uint i; i < _assets.length; ++i) {
  phuture/ManagedIndexReweightingLogic.sol::38 => for (uint i; i < assets.length(); ++i) {
  phuture/ManagedIndexReweightingLogic.sol::50 => for (uint i; i < _updatedAssets.length; ++i) {
  phuture/ManagedIndexReweightingLogic.sol::96 => for (uint i; i < _inactiveAssets.length; ++i) {
  phuture/TopNMarketCapIndex.sol::48 => for (uint i; i < _assets.length; ++i) {
  phuture/TopNMarketCapReweightingLogic.sol::37 => for (uint i; i < assets.length(); ++i) {
  phuture/TopNMarketCapReweightingLogic.sol::104 => for (uint i; i < _inactiveAssets.length; ++i) {
  phuture/TrackedIndex.sol::35 => for (uint i; i < _assets.length; ++i) {
  phuture/TrackedIndexReweightingLogic.sol::37 => for (uint i; i < assets.length(); ++i) {
  phuture/TrackedIndexReweightingLogic.sol::66 => for (uint i; i < assets.length(); ++i) {
  phuture/UniswapV2PathPriceOracle.sol::34 => for (uint i = 0; i < path.length - 1; i++) {
  phuture/UniswapV2PathPriceOracle.sol::49 => for (uint i = 0; i < path.length - 1; i++) {

3. Use != 0 instead of > 0 for Unsigned Integer Comparison

Proof of Concept
  phuture/ChainlinkPriceOracle.sol::86 => require(basePrice > 0 && quotePrice > 0, "ChainlinkPriceOracle: NEGATIVE");
  phuture/IndexLogic.sol::76 => require(lastAssetBalanceInBase > 0, "Index: INSUFFICIENT_AMOUNT");
  phuture/IndexLogic.sol::86 => if (fee > 0) {
  phuture/IndexLogic.sol::98 => require(value > 0, "Index: INSUFFICIENT_AMOUNT");
  phuture/IndexLogic.sol::114 => if (fee > 0) {
  phuture/IndexLogic.sol::141 => if (lastOrderId > 0) {
  phuture/ManagedIndexReweightingLogic.sol::56 => if (i > 0) {
  phuture/ManagedIndexReweightingLogic.sol::61 => if (newWeight > 0) {
  phuture/ManagedIndexReweightingLogic.sol::98 => if (shares > 0) {
  phuture/PhutureIndex.sol::56 => if (timePassed > 0) {
  phuture/PhutureIndex.sol::64 => if (fee > 0) {
  phuture/TopNMarketCapIndex.sol::56 => if (weight > 0) {
  phuture/TopNMarketCapReweightingLogic.sol::58 => if (shares > 0) {
  phuture/TopNMarketCapReweightingLogic.sol::79 => if (weight > 0) {
  phuture/TopNMarketCapReweightingLogic.sol::106 => if (shares > 0) {
  phuture/vToken.sol::160 => if (_totalSupply > 0) {

4. Long Revert Strings

Proof of Concept
  phuture/TopNMarketCapIndex.sol::74 => revert("TopNMarketCapIndex: REWEIGH_FAILED");
  phuture/TopNMarketCapReweightingLogic.sol::67 => require(IAccessControl(registry).hasRole(ASSET_ROLE, asset), "TopNMarketCapIndex: INVALID_ASSET");
  phuture/UniswapV2PathPriceOracle.sol::25 => require(_oracles.length == _path.length - 1, "UniswapV2PathPriceOracle: ORACLES");
Recommendation

Shorten Revert Strings to be <= 32 bytes, or use custom errors.

Tools used

c4udit.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter