Platform: Code4rena
Start Date: 14/06/2022
Pot Size: $100,000 USDC
Total HM: 26
Participants: 59
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 9
Id: 133
League: ETH
Rank: 8/59
Findings: 6
Award: $3,884.36
π Selected for report: 1
π Solo Findings: 0
π Selected for report: p4st13r4
Also found by: Ruhum, TerrierLover, WatchPug, hansfriese, zzzitron
320.9326 USDC - $320.93
1987.1989 CANTO - $320.93
WETH.totalSupply() returns wrong result. I can't find other contracts that use this function but WETH.sol is a base contract and it should be fixed properly.
WETH._balanceOf just returns a balance of a specific address and totalSupply must be the same as the total balance that was deposited to this contract.
Solidity Visual Developer of VSCode
L47 should be changed like below.
return address(this).balance;
#0 - ecmendenhall
2022-06-21T22:27:03Z
#1 - nivasan1
2022-06-23T21:08:17Z
duplicate of #191
π Selected for report: hansfriese
Also found by: 0xf15ers
1467.456 USDC - $1,467.46
9086.4148 CANTO - $1,467.46
WETH.allowance() returns wrong result. I can't find other contracts that use this function but WETH.sol is a base contract and it should be fixed properly.
In this function, the "return" keyword is missing and it will always output 0 in this case.
Solidity Visual Developer of VSCode
L104 should be changed like below.
return _allowance[owner][spender];
#0 - GalloDaSballo
2022-08-12T00:58:13Z
The warden has found a minor developer oversight, which will cause the view function allowance to always return 0.
Breaking of a core contract such as WETH is a non-starter.
Because I've already raised severity of #191 for similar reasons, I think High Severity is appropriate in this case
π Selected for report: joestakey
Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xf15ers, 0xmint, Bronicle, Dravee, Funen, JMukesh, Limbooo, MadWookie, Picodes, Ruhum, TerrierLover, TomJ, Tutturu, WatchPug, Waze, _Adam, asutorufos, c3phas, catchup, cccz, codexploder, cryptphi, csanuragjain, defsec, fatherOfBlocks, gzeon, hake, hansfriese, hyh, ignacio, k, nxrblsrpr, oyc_109, robee, sach1r0, saian, simon135, technicallyty, zzzitron
83.1217 USDC - $83.12
687.9945 CANTO - $111.11
I've found some comments are wrong and I recommend to change comments properly when reuse standard codes from example contracts.
AccountantDelegator.supplyMarket() shows wrong @notice. 2022-06-newblockchain\lending-market\contracts\Accountant\AccountantDelegator.sol#L51
AccountantDelegator.redeemMarket() shows wrong @notice and @param. 2022-06-newblockchain\lending-market\contracts\Accountant\AccountantDelegator.sol#L60-L61
overflow won't be happened here. In the example contract overflow was possible because last timestamp was modularized but in our case it uses raw timestamp. 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L156
There is no _mintFee() function in this contract. (Example contract contains it.) 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L246 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L269
require()/revert() statements should have descriptive reason strings 2022-06-newblockchain\lending-market\contracts\CNote.sol#L229 2022-06-newblockchain\lending-market\contracts\WETH.sol#L69 2022-06-newblockchain\lending-market\contracts\WETH.sol#L72 2022-06-newblockchain\lending-market\contracts\Governance\GovernorBravoDelegate.sol#L53 2022-06-newblockchain\lending-market\contracts\Treasury\TreasuryDelegate.sol#L16-L17 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L125 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L285 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L465 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L498 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L503 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L508 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L210-L211 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L456 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L459
Event should use indexed fields if there are three or more fields 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L31
Typo 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L463 faialure => failure
Needless import 2022-06-newblockchain\lending-market\contracts\NoteInterest.sol#L5
Immutable addresses should be 0-checked 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L76 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L78
Open TODO 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1232 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1271
A local variable has the same name as a public one. 2022-06-newblockchain\lending-market\contracts\NoteInterest.sol#L73-L74
#0 - GalloDaSballo
2022-08-02T20:39:52Z
NC
NC
Agree indexing the token would be beneficial - NC
NC
SafeMath is used
L
NC
L
2L 4NC
π Selected for report: _Adam
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xmint, Chom, Dravee, Fitraldys, Funen, JC, Limbooo, MadWookie, Picodes, Ruhum, TerrierLover, TomJ, Tomio, Waze, ak1, c3phas, catchup, defsec, fatherOfBlocks, gzeon, hake, hansfriese, joestakey, k, oyc_109, rfa, robee, sach1r0, saian, simon135, ynnad
49.2491 USDC - $49.25
396.9199 CANTO - $64.10
Use ++i instead of i++, i+=1, also unchecked increments in for-loops will save gas cost 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L126 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L206 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L735 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L959 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1005 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1106 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1347 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1347 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1353 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1364 2022-06-newblockchain\lending-market\contracts\Governance\GovernorBravoDelegate.sol#L68 2022-06-newblockchain\lending-market\contracts\Governance\GovernorBravoDelegate.sol#L90 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L207 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L232 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L136 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L362
Non-strict inequalities are cheaper than strict ones 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L775 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L522 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L87
No need to initialize variables with default values 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L207 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L223-L224 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L136 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L158 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L362 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L126 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L206 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L735 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L959 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1005 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1106 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1347 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1347 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1353 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1364 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1413 2022-06-newblockchain\lending-market\contracts\Governance\GovernorBravoDelegate.sol#L68 2022-06-newblockchain\lending-market\contracts\Governance\GovernorBravoDelegate.sol#L90
Change storage to memory if possible 2022-06-newblockchain\lending-market\contracts\Governance\GovernorBravoDelegate.sol#L105 2022-06-newblockchain\lending-market\contracts\Governance\GovernorBravoDelegate.sol#L116
Reduce the size of error message(32 bytes) There are 70 cases in total and I will show in CNote.sol only. 2022-06-newblockchain\lending-market\contracts\CNote.sol#L16 2022-06-newblockchain\lending-market\contracts\CNote.sol#L43 2022-06-newblockchain\lending-market\contracts\CNote.sol#L45 2022-06-newblockchain\lending-market\contracts\CNote.sol#L54 2022-06-newblockchain\lending-market\contracts\CNote.sol#L77 2022-06-newblockchain\lending-market\contracts\CNote.sol#L114 2022-06-newblockchain\lending-market\contracts\CNote.sol#L130 2022-06-newblockchain\lending-market\contracts\CNote.sol#L146 2022-06-newblockchain\lending-market\contracts\CNote.sol#L198 2022-06-newblockchain\lending-market\contracts\CNote.sol#L214 2022-06-newblockchain\lending-market\contracts\CNote.sol#L264 2022-06-newblockchain\lending-market\contracts\CNote.sol#L310 2022-06-newblockchain\lending-market\contracts\CNote.sol#L330
Don't use storage value if you can use local variable instead 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L856 closeFactorMantissa => newCloseFactorMantissa
2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1045 pauseGuardian => NewPauseGuardian
2022-06-newblockchain\lending-market\contracts\NoteInterest.sol#L127 baseRatePerYear => newBaseRatePerYear
2022-06-newblockchain\lending-market\contracts\NoteInterest.sol#L144 baseRatePerYear => newBaseRateMantissa
2022-06-newblockchain\lending-market\contracts\NoteInterest.sol#L157 adjusterCoefficient => newAdjusterCoefficient
2022-06-newblockchain\lending-market\contracts\NoteInterest.sol#L170 updateFrequency => newUpdateFrequency
2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L735 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L959 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1106 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1347 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1347 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1353 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1364 2022-06-newblockchain\lending-market\contracts\Governance\GovernorBravoDelegate.sol#L68 2022-06-newblockchain\lending-market\contracts\Governance\GovernorBravoDelegate.sol#L90 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L207 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L136 2022-06-newblockchain\stableswap\contracts\BaseV1-periphery.sol#L362
Add additional require() to save gas cost 2022-06-newblockchain\stableswap\contracts\BaseV1-core.sol#L210 require(granularity != 0) should be added as it will revert after all calculations in this case.
Use != 0 instead of > 0 for uint variables There are more than 50 cases and I will show in Comptroller.sol only. 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L309 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L329 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L380 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1129 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1194 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1197 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1200 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1215 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1218 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1221 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1311 2022-06-newblockchain\lending-market\contracts\Comptroller.sol#L1379
#0 - GalloDaSballo
2022-08-04T00:28:11Z
600 from the SLOAD for the events, rest is less than 500 in bulk