Sublime contest - hake's results

Democratizing credit via Web3.

General Information

Platform: Code4rena

Start Date: 29/03/2022

Pot Size: $30,000 USDC

Total HM: 6

Participants: 24

Period: 3 days

Judge: HardlyDifficult

Total Solo HM: 4

Id: 101

League: ETH

Sublime

Findings Distribution

Researcher Performance

Rank: 16/24

Findings: 2

Award: $118.43

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Sublime

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xkatana, BouSalman, Dravee, IllIllI, Meta0xNull, WatchPug, defsec, dirk_y, gzeon, hake, kyliek, rayn, robee, sseefried

Awards

82.2218 USDC - $82.22

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

LOW

Low#1: Functions lacking zero address checks in `PoolCreditLine.sol` `LenderPool.sol`

PoolCreditLine.constructor LenderPool.constructor LenderPool.create

Recommend implementing zero address check.

Low#2: `PooledCreditLine.getPrincipal` should be declared to external

PooledCreditLine.getPrincipal

Low#3: Start fee in `LenderPool.start` might not be received

IERC20(_borrowAsset).transfer(_to, _fee);

The unsafe transfer function doesnt check the boolean return value to see if the fee has been received, leading to _fee not being delivered.

LenderPool.start

Recommend implementing a check.

NON-CRITICAL

Non-crit#1: Outdated compiler version

pragma solidity 0.7.6;

It's a best practice to use the latest compiler version.

Older compilers might be susceptible to some bugs. Recommend changing the solidity version pragma to the latest version to enforce the use of an up to date compiler.

List of known compiler bugs and their severity can be found here: https://etherscan.io/solcbuginfo

Non-crit#2: `uint` gas efficiency

uint256 is more gas efficient than uint128.

PooledCreditLine.sol

Non-crit#3: `_updateProtocolFeeFraction` added layer of security

_updateProtocolFeeFraction

Recommend setting a limit to protocolFeeFraction as an extra layer of security in case onlyOwner gets compromised.

Example:

function _updateProtocolFeeFraction(uint256 _protocolFeeFraction) internal {
        require(_protocolFeeFraction <= SCALING_FACTOR, 'IUPFF1');
        require(_protocolFeeFraction < ARBITRARY_NUMBER, 'IUPFF2');
        protocolFeeFraction = _protocolFeeFraction;
        emit ProtocolFeeFractionUpdated(_protocolFeeFraction);
    }

#0 - ritik99
2022-04-12T21:50:47Z

All suggestions except switching to v0.8 are valid, see #67

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xkatana, Dravee, Funen, Meta0xNull, Tomio, csanuragjain, defsec, gzeon, hake, hickuphh3, kenta, rayn, rfa, robee

Awards

36.2135 USDC - $36.21

Labels

bug

G (Gas Optimization)

sponsor disputed

External Links

Link to GitHub issue

Gas : Global var updates code structure is unnecessarily big

updateGlobalVar

Instead of:

function updatePriceOracle(address _priceOracle) external onlyOwner {
        require(priceOracle != _priceOracle, 'UPO1');
        _updatePriceOracle(_priceOracle);
    }

    function _updatePriceOracle(address _priceOracle) internal {
        require(_priceOracle != address(0), 'IUPO1');

        priceOracle = _priceOracle;
        emit PriceOracleUpdated(_priceOracle);
    }

It could be:

function updatePriceOracle(address _priceOracle) external onlyOwner {
        require(priceOracle != _priceOracle, 'UPO1');
        require(_priceOracle != address(0), 'UPO2');
        priceOracle = _priceOracle;
        emit PriceOracleUpdated(_priceOracle);

    }

It was not specified how the contract size was fixed in the next release, so this might or might not apply.

#0 - ritik99
2022-04-12T19:01:38Z

_updatePriceOracle is called during initialization as well, during which we do not need to perform the extra check that updatePriceOracle performs

Sublime contest - hake's results

Democratizing credit via Web3.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-13] QA Report - $82.22

Findings Information

Awards

Labels

External Links

LOW

Low#1: Functions lacking zero address checks in PoolCreditLine.sol LenderPool.sol

Low#2: PooledCreditLine.getPrincipal should be declared to external

Low#3: Start fee in LenderPool.start might not be received

NON-CRITICAL

Non-crit#1: Outdated compiler version

Non-crit#2: uint gas efficiency

Non-crit#3: _updateProtocolFeeFraction added layer of security

#0 - ritik992022-04-12T21:50:47Z

[G-19] Gas Report - $36.21

Findings Information

Awards

Labels

External Links

Gas : Global var updates code structure is unnecessarily big

#0 - ritik992022-04-12T19:01:38Z

Low#1: Functions lacking zero address checks in `PoolCreditLine.sol` `LenderPool.sol`

Low#2: `PooledCreditLine.getPrincipal` should be declared to external

Low#3: Start fee in `LenderPool.start` might not be received

Non-crit#2: `uint` gas efficiency

Non-crit#3: `_updateProtocolFeeFraction` added layer of security

#0 - ritik99
2022-04-12T21:50:47Z

#0 - ritik99
2022-04-12T19:01:38Z