Platform: Code4rena
Start Date: 09/12/2022
Pot Size: $36,500 USDC
Total HM: 9
Participants: 69
Period: 3 days
Judge: Picodes
Total Solo HM: 2
Id: 190
League: ETH
Rank: 24/69
Findings: 2
Award: $249.09
🌟 Selected for report: 0
🚀 Solo Findings: 0
220.9698 USDC - $220.97
Judge has assessed an item in Issue #201 as M risk. The relevant finding follows:
Deposit function is not compatible with deflationary token The actual deposited amount might be lower than the specified depositAmount of the function parameter. This would lead to wrong interest rate calculations on the principal. Recommend transferring the tokens first and comparing pre-/after token balances to compute the actual deposited amount.
#0 - c4-judge
2022-12-19T14:01:48Z
Picodes marked the issue as duplicate of #332
#1 - c4-judge
2023-01-07T11:04:19Z
Picodes marked the issue as satisfactory
🌟 Selected for report: 0xSmartContract
Also found by: 0Kage, 0x52, 0xAgro, 0xNazgul, 0xTraub, 0xhacksmithh, Awesome, Aymen0909, Bnke0x0, Englave, Janio, Mukund, Parth, RaymondFam, Rolezn, SmartSek, Tointer, UdarTeam, Udsen, Zarf, caventa, chaduke, csanuragjain, deliriusz, gz627, idkwhatimdoing, izhelyazkov, joestakey, neumo, obront, oyc_109, rvierdiiev, shark, trustindistrust, wait, yongskiws
28.124 USDC - $28.12
An uninitialized contract can be taken over by an attacker. This applies to both a proxy and its implementation contract, which may impact the proxy. To prevent the implementation contract from being used, you should invoke the {_disableInitializers} function in the constructor to automatically lock it when it is deployed:
https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/Collateral.sol#L34 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/token/contracts/ppo/PPO.sol#L53 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/PrePOMarketFactory.sol#L16 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/token/contracts/ppo-staking/governance/staking/QuestManager.sol#L56
OpenZeppelin’s documentation discourages the use of transferFrom() and transfer(), use safeTransferFrom() and safeTransfer() whenever possible as it can prevent loss of funds
https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/Collateral.sol#L49 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/Collateral.sol#L76 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/Collateral.sol#L82 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/DepositTradeHelper.sol#L26 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/DepositTradeHelper.sol#L31 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/packages/prepo-shared-contracts/contracts/WithdrawERC721.sol#L20 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/RedeemHook.sol#L21 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/token/contracts/mini-sales/MiniSales.sol#L43 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/token/contracts/mini-sales/MiniSales.sol#L48 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/token/contracts/token-shop/TokenShop.sol#L83 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/DepositHook.sol https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/PrePOMarket.sol#L69 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/PrePOMarket.sol#L104 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/WithdrawHook.sol#L76 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/token/contracts/ppo-staking/masset/versions/MV2.sol#L1014 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/token/contracts/ppo-staking/masset/versions/MV1.sol#L1023 https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/token/contracts/ppo/PPO.sol#L102
During deposit in line 48 the amount is greater than 0 in order to proceed with the deposit. However, after subtracting the _fee the _amount can be 0.
The actual deposited amount might be lower than the specified depositAmount of the function parameter. This would lead to wrong interest rate calculations on the principal. Recommend transferring the tokens first and comparing pre-/after token balances to compute the actual deposited amount.
#0 - c4-judge
2022-12-19T14:02:17Z
Picodes marked the issue as grade-b
#1 - Picodes
2022-12-19T14:02:24Z
2 out of scope with the automated report