Platform: Code4rena
Start Date: 21/10/2021
Pot Size: $80,000 ETH
Total HM: 28
Participants: 15
Period: 7 days
Judge: ghoulsol
Total Solo HM: 19
Id: 42
League: ETH
Rank: 6/15
Findings: 6
Award: $6,788.49
🌟 Selected for report: 6
🚀 Solo Findings: 2
🌟 Selected for report: gzeon
0.9718 ETH - $4,045.16
gzeon
function claimRewardAsMochi in ReferralFeePoolV0.sol did not reduce user reward balance, allowing referrer to claim the same reward repeatedly and thus draining the fee pool.
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/feePool/ReferralFeePoolV0.sol L28-47 did not reduce user reward balance
None
Add the following lines
rewards -= reward[msg.sender]; reward[msg.sender] = 0;
gzeon
liquidationFactor(.40) < maxCollateralFactor(.45) for AssetClass.Sigma, which would lead to instant liquidation when user try to borrow max cf.
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/profile/MochiProfileV0.sol L123 and L166
None
Make sure maxCollateralFactor > liquidationFactor, either by governance or enforce it in the smart contract.
#0 - r2moon
2021-10-29T16:39:14Z
duplicated with https://github.com/code-423n4/2021-10-mochi-findings/issues/126
gzeon
ERC20 transfer in function settleLiquidation of DutchAuctionLiquidator.sol is unchecked, which may lead to liquidator unable to receive liquidated collateral since some ERC20 return false instead of revert when transfer fail.
None
use the checked cheapTransfer in CheapERC20 library
#0 - r2moon
2021-10-27T14:32:09Z
duplicated with https://github.com/code-423n4/2021-10-mochi-findings/issues/75
🌟 Selected for report: gzeon
0.2915 ETH - $1,213.55
gzeon
Borrow function in MochiVault will borrow to max cf when trying to borrow > cf instead of revert with ">cf" as specified in the supplied test. The difference in behavior may cause user to borrow at dangerous collateral level, and receive less than the amount requested.
None
Revert if details[_id].debt + _amount > maxMinted with ">cf"
🌟 Selected for report: loop
Also found by: WatchPug, defsec, gzeon, harleythedog
gzeon
The uint256 public liquidated in MochiVault.sol is never used.
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/vault/MochiVault.sol L37: uint256 public liquidated;
None
Remove the variable declaration
#0 - r2moon
2021-10-27T14:31:23Z
duplicated with https://github.com/code-423n4/2021-10-mochi-findings/issues/88
🌟 Selected for report: gzeon
Also found by: harleythedog
0.0345 ETH - $143.80
gzeon
Some of the require statements in MochiVault.sol can be placed earlier to reduce gas usage on revert
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/vault/MochiVault.sol L226-227: can be placed at the very top of the function to avoid the expensive cssr call L237: can be placed before initialization of increasingDebt
None
Relocate the said require statements
0.0207 ETH - $86.28
gzeon
Some of the variable can be cached to slightly reduce gas usage
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/vault/MochiVault.sol L158-178: details[_id].status can be cached L181-211: details[_id].collateral can be cached L213-250: details[_id].debt and details[_id].collateral can be cached L254-275: details[_id].debt can be cached
None
Consider caching those variable for read and make sure write back to storage
🌟 Selected for report: gzeon
0.0768 ETH - $319.56
gzeon
Detailed description of the impact of this finding.
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/interfaces/IMochiVault.sol L6-L12: the struct can be reordered into struct Detail { Status status; address referrer; uint256 collateral; uint256 debt; uint256 debtIndex; }
such that status and referrer are put into the same slot, should save ~2000 gas per borrow
None
Reorder the struct as suggested, and modify impacted code at IMochiVault.sol L28-L34 DutchAuctionLiquidator.sol L77
Realistically, the range of debtIndex (start at 1e18 and increase by fee per year) probably fit in a uint88(11bytes) so you can pack (status(1byte), referrer(20bytes), debtIndex(11bytes)) all in 32 bytes, saving another storage slot.
🌟 Selected for report: gzeon
0.0768 ETH - $319.56
gzeon
Auction struct in DutchAuctionLiquidator.sol can be optimized to reduce 2 storage slot
https://github.com/code-423n4/2021-10-mochi/blob/main/projects/mochi-core/contracts/liquidator/DutchAuctionLiquidator.sol L18-L25: the struct can changed into struct Auction { uint256 nftId; address vault; uint48 startedAt; uint48 boughtAt; uint256 collateral; uint256 debt; } startedAt and boughtAt store block numbers, and 2^48 is be enough for a very long time.
None
Change the struct as suggested above, also need to cast whenever startedAt and boughtAt is used.