Platform: Code4rena
Start Date: 21/11/2022
Pot Size: $90,500 USDC
Total HM: 18
Participants: 101
Period: 7 days
Judge: Picodes
Total Solo HM: 4
Id: 183
League: ETH
Rank: 65/101
Findings: 1
Award: $53.49
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0xAgro, 0xNazgul, 0xPanda, 0xbepresent, 0xfuje, Awesome, B2, Bnke0x0, Deivitto, Diana, Funen, Jeiwan, JohnSmith, Josiah, R2, RaymondFam, Rolezn, Sathish9098, Waze, adriro, aphak5010, brgltd, btk, carrotsmuggler, ch0bu, chaduke, codeislight, codexploder, cryptostellar5, csanuragjain, danyams, datapunk, delfin454000, deliriusz, eierina, erictee, fatherOfBlocks, gz627, gzeon, hansfriese, hihen, jadezti, joestakey, keccak123, martin, nameruse, oyc_109, pedr02b2, perseverancesuccess, rbserver, rotcivegaf, rvierdiiev, sakshamguruji, shark, simon135, subtle77, unforgiven, xiaoming90, yixxas
53.4851 USDC - $53.49
approve() and safeApprove() should be replaced with safeIncreaseAllowance() / safeDecreaseAllowance()approve() & safeApprove() are deprecated and subject to a known front-running attack. Consider using safeIncreaseAllowance() & safeDecreaseAllowance() instead.
src/PirexGmx.sol:L292 gmx.safeApprove(address(stakedGmx), type(uint256).max); src/PirexGmx.sol:L348 gmx.safeApprove(address(stakedGmx), 0); src/PirexGmx.sol:L353 gmx.safeApprove(contractAddress, type(uint256).max); src/PirexGmx.sol:L507 t.safeApprove(glpManager, tokenAmount); src/vaults/AutoPxGlp.sol:L87 gmxBaseReward.safeApprove(address(_platform), type(uint256).max); src/vaults/AutoPxGlp.sol:L347 stakedGlp.safeApprove(platform, amount); src/vaults/AutoPxGlp.sol:L391 erc20Token.safeApprove(platform, tokenAmount); src/vaults/AutoPxGmx.sol:L96 gmxBaseReward.safeApprove(address(SWAP_ROUTER), type(uint256).max); src/vaults/AutoPxGmx.sol:L97 gmx.safeApprove(_platform, type(uint256).max);
require() should be used instead of assert()Prior to solidity version 0.8.0, hitting an assert consumes the remainder of the transaction’s available gas rather than returning it, as require()/revert() do. assert() should be avoided even past solidity version 0.8.0 as its documentation states that “The assert function creates an error of type Panic(uint256). … Properly functioning code should never create a Panic, not even on invalid external input. If this happens, then there is a bug in your contract which you should fix”.
src/PirexGmx.sol:L225 assert(feeAmount + postFeeAmount == assets);
decimals() not part of ERC20 standard.decimals() is not part of the official ERC20 standard and might fall for tokens that do not implement it. While in practice it is very unlikely, as usually most of the tokens implement it, this should still be considered as a potential issue.
src/vaults/PirexERC4626.sol:L52 ) ERC20(_name, _symbol, _asset.decimals()) {
While floating pragmas make sense for libraries to allow them to be included with multiple different versions of applications, it may be a security risk for application implementations.
A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up checking a different EVM compilation that is ultimately deployed on the blockchain.
It is recommended to pin to a concrete compiler version.
src/vaults/PirexERC4626.sol:L2 pragma solidity >=0.8.0;
_safemint() should be used rather than _mint() wherever possible_mint() is discouraged in favor of _safeMint() which ensures that the recipient is either an EOA or implements IERC721Receiver. Both OpenZeppelin and solmate have versions of this function
src/PxERC20.sol:L50 _mint(to, amount); src/vaults/PirexERC4626.sol:L73 _mint(receiver, shares); src/vaults/PirexERC4626.sol:L92 _mint(receiver, shares); src/vaults/AutoPxGlp.sol:L317 _mint(receiver, shares); src/vaults/AutoPxGmx.sol:L400 _mint(receiver, shares);
#0 - c4-judge
2022-12-05T09:23:20Z
Picodes marked the issue as grade-b