Back to fatherOfBlocks's contests

Centrifuge - fatherOfBlocks's results

The institutional ecosystem for on-chain credit.

General Information

Platform: Code4rena

Start Date: 08/09/2023

Pot Size: $70,000 USDC

Total HM: 8

Participants: 84

Period: 6 days

Judge: gzeon

Total Solo HM: 2

Id: 285

League: ETH

Centrifuge

Findings Distribution

Researcher Performance

Rank: 65/84

Findings: 1

Award: $12.79

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCentrifuge

Findings Information

🌟 Selected for report: castle_chain

Also found by: 0xAadi, 0xHelium, 0xLook, 0xblackskull, 0xfuje, 0xmystery, 0xnev, 0xpiken, 7ashraf, BARW, Bauchibred, Bughunter101, Ch_301, JP_Courses, Kaysoft, Krace, MohammedRizwan, SanketKogekar, Sathish9098, alexzoid, ast3ros, btk, catellatech, degensec, fatherOfBlocks, grearlake, imtybik, jkoppel, jolah1, klau5, lsaudit, m_Rassska, merlin, mrudenko, nobody2018, rokinot, rvierdiiev, sandy

Awards

12.7917 USDC - $12.79

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-37

External Links

Link to GitHub issue

src/Escrow.sol

  • L7 - The ApproveLike interface is created, which is never used throughout the contract, therefore it would be best to eliminate it so as not to take up unnecessary space.

src/Root.sol

  • L35 - Escrow variable is immutable and the constructor does not validate that it is an address other than 0x. This should be validated so as not to enter incorrect states and render the contract unusable.

src/admins/PauseAdmin.sol

  • L22 - Root variable is immutable and the constructor does not validate that it is an address other than 0x. This should be validated so as not to enter incorrect states and render the contract unusable.

src/admins/DelayedAdmin.sol

  • L19 - Root variable is immutable and the constructor does not validate that it is an address other than 0x. This should be validated so as not to enter incorrect states and render the contract unusable.

src/token/Tranche.sol

  • L7 - The TrancheTokenLike interface is created, but it is never used on the contrary, therefore it should be eliminated.

src/token/RestrictionManager.sol

  • L6 - The MemberlistLike interface is created, but it is never used on the contrary, therefore it should be eliminated.

src/util/Factory.sol

  • L30/75 - Root variable is immutable and the constructor does not validate that it is an address other than 0x. This should be validated so as not to enter incorrect states and render the contract unusable.

  • L94 - abi.encodePacked() should not be used with dynamic types when passing the result to a hash function such as keccak256() Use abi.encode() instead which will pad items to 32 bytes, which will prevent hash collisions (e.g. abi.encodePacked(0x123,0x456) => 0x123456 => abi.encodePacked(0x1,0x23456), but abi.encode(0x123,0x456) => 0x0...1230...456). “Unless there is a compelling reason, abi.encode should be preferred”. If there is only one argument to abi.encodePacked() it can often be cast to bytes() or bytes32() instead. If all arguments are strings and or bytes, bytes.concat() should be used instead.

src/gateway/routers/axelar/Router.sol

  • L37 - Root variable is immutable and the constructor does not validate that it is an address other than 0x. This should be validated so as not to enter incorrect states and render the contract unusable.

src/LiquidityPool.sol

  • L86/87/88/89 - The variables: poolId, trancheId, asset, and share are immutable and the constructor does not validate that they are addresses other than 0x. This should be validated so as not to enter incorrect states and render the contract unusable.

src/InvestmentManager.sol

  • L89/90 - The variables: escrow and userEscrow are immutable and the constructor does not validate that they are addresses other than 0x. This should be validated so as not to enter incorrect states and render the contract unusable.

src/gateway/Gateway.sol

  • L99 - Root variable is immutable and the constructor does not validate that it is an address other than 0x. This should be validated so as not to enter incorrect states and render the contract unusable.

  • L285 - The handle function has 81 lines of code and many conditionals, this reduces the understanding of the code. It would be beneficial for the users' understanding of this contract to have auxiliary functions with names that represent them.

src/token/ERC20.sol

  • L225 - abi.encodePacked() should not be used with dynamic types when passing the result to a hash function such as keccak256() Use abi.encode() instead which will pad items to 32 bytes, which will prevent hash collisions (e.g. abi.encodePacked(0x123,0x456) => 0x123456 => abi.encodePacked(0x1,0x23456), but abi.encode(0x123,0x456) => 0x0...1230...456). “Unless there is a compelling reason, abi.encode should be preferred”. If there is only one argument to abi.encodePacked() it can often be cast to bytes() or bytes32() instead. If all arguments are strings and or bytes, bytes.concat() should be used instead.

src/PoolManager.sol

  • L105/106/107 - The variables: escrow, liquidityPoolFactory and trancheTokenFactory are immutable and the constructor does not validate that they are addresses other than 0x. This should be validated so as not to enter incorrect states and render the contract unusable.

#0 - c4-pre-sort

2023-09-17T00:50:42Z

raymondfam marked the issue as sufficient quality report

#1 - c4-judge

2023-09-26T17:54:59Z

gzeon-c4 marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter