Platform: Code4rena
Start Date: 16/12/2022
Pot Size: $60,500 USDC
Total HM: 12
Participants: 58
Period: 5 days
Judge: Trust
Total Solo HM: 4
Id: 196
League: ETH
Rank: 39/58
Findings: 1
Award: $43.54
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: yixxas
Also found by: 0x52, 0xAgro, 0xSmartContract, 0xhacksmithh, Aymen0909, Bnke0x0, Bobface, Breeje, Diana, Franfran, HE1M, HollaDieWaldfee, IllIllI, Jeiwan, RaymondFam, Rolezn, SaharDevep, Secureverse, SmartSek, ak1, bin2chen, brgltd, chrisdior4, gz627, imare, ladboy233, lukris02, oyc_109, rvierdiiev, shark, tnevler, unforgiven, wait
43.5439 USDC - $43.54
| Issue | Instances | |
|---|---|---|
| NC-1 | Do not use magic numbers or values, define a constant or enum | 6 |
Instances (6):
Using constants/immutables/enums helps code maintenance and reduces errors when upgrading and refactoring.
File: https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/UniswapOracleFundingRateController.sol 41: _setFundingPeriod(4 weeks); 123: if (_fundingPeriod < 7 days) revert FundingPeriodTooShort(); 124: if (_fundingPeriod > 90 days) revert FundingPeriodTooLong();
File: https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol 87: initSqrtRatio = UniswapHelpers.oneToOneSqrtRatio(underlyingONE, 10 ** 18); 89: initSqrtRatio = UniswapHelpers.oneToOneSqrtRatio(10 ** 18, underlyingONE); 92: address _pool = UniswapHelpers.deployAndInitPool(address(underlying), address(papr), 10000, initSqrtRatio);
| Issue | Instances | |
|---|---|---|
| L-1 | Missing checks when initializing immutables | 1 |
| L-2 | Function parameters shadow state variables or other function names |
Instances (1):
Affected code:
In Contract UniswapOracleFundingRateController, missing checks when initializing immutables targetMarkRatioMax and targetMarkRatioMin, which results in the possibility of the setting result:
targetMarkRatioMax < targetMarkRatioMin due to typos or some mistakes. While this may not lead to serious issues, it will confuse users since everybody can see the values as both immutables are defined as puclic.
It is suggested to add a check in contract construtor to avoid this issue: e.g.
error TargetMarkRatioMaxLtTargetMarkRatioMin(); //@audit custom error constructor(ERC20 _underlying, ERC20 _papr, uint256 _targetMarkRatioMax, uint256 _targetMarkRatioMin) { underlying = _underlying; papr = _papr; if(_targetMarkRatioMax < _targetMarkRatioMin) revert TargetMarkRatioMaxLtTargetMarkRatioMin(); //@audit add this check targetMarkRatioMax = _targetMarkRatioMax; targetMarkRatioMin = _targetMarkRatioMin; _setFundingPeriod(4 weeks); }
Ofcourse, a simple require() will do the trick as this is an one-off check:
require(_targetMarkRatioMax >= _targetMarkRatioMin, "targetMarkRatioMax < targetMarkRatioMin");
Total instances (3):
Link to code:
In Contract UniswapOracleFundingRateController, the parameter target of function _init(uint256 target, address _pool) shadows a function name target: function target() external view override returns (uint256).
It is recommended to rename the function parameter to other name, e.g. _target.
Link to code:
File: https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol 67 constructor( string memory name, string memory symbol, uint256 _maxLTV, uint256 indexMarkRatioMax, uint256 indexMarkRatioMin, 73: ERC20 underlying, 74: address oracleSigner )
In the above contract PaprController's constructor, some parameters (L73-L74) shadow inherited state variables: underlying and oracleSigner. It is recomended to rename these parameters to other names, e.g. _underlying and _oracleSigner
#0 - c4-judge
2022-12-25T17:07:56Z
trust1995 marked the issue as grade-c
#1 - c4-judge
2023-01-08T10:31:27Z
trust1995 marked the issue as grade-b
#2 - trust1995
2023-01-08T10:31:49Z
Up to B due to warden's additional downgraded HM submissions