Platform: Code4rena
Start Date: 19/04/2022
Pot Size: $30,000 USDC
Total HM: 10
Participants: 43
Period: 3 days
Judges: moose-code, JasoonS
Total Solo HM: 7
Id: 90
League: ETH
Rank: 28/43
Findings: 1
Award: $80.32
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0xDjango, 0xkatana, Dravee, Kenshin, Tadashi, TerrierLover, abhinavmir, defsec, ellahi, fatima_naz, foobar, gzeon, hyh, joestakey, kebabsec, kenta, minhquanym, oyc_109, rayn, robee, sseefried, xpriment626, z3s
80.3226 USDC - $80.32
ChainlinkPriceOracle.addAsset() does not have an access modifier, so anyone could add a malicious asset: https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/ChainlinkPriceOracle.sol#L60
IndexLogic.mint() contains an assert, which will use all the remaining gas. Should change this to a require statement to prevent excessive gas usage: https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/IndexLogic.sol#L72
FeePool.AUMScaledPerSecondsRateOf() should ensure that it's compatible with the Ethereum PoS upgrade, which will change block times from hovering around 13 seconds to a clean 12 seconds per: https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/IndexLogic.sol#L72
vToken constructor is a no-op, so can be omitted altogether. Placing the initializer modifier on it might accidentally brick contracts if it's deployed improperly: https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/vToken.sol#L51
IndexLogic.mint() could be frontrun, as the token transfers do not happen atomically within the method. Care should be taken to do the token transfers in the same atomic transaction as minting does, preferrably with approvals and direct transfers here: https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/IndexLogic.sol#L48