Back to imkapadia's contests

veRWA - imkapadia's results

Incentivization Primitive for Real World Assets on Canto

General Information

Platform: Code4rena

Start Date: 07/08/2023

Pot Size: $36,500 USDC

Total HM: 11

Participants: 125

Period: 3 days

Judge: alcueca

Total Solo HM: 4

Id: 274

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 95/125

Findings: 1

Award: $9.82

QA:
grade-a

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: RED-LOTUS-REACH

Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie

Awards

9.8204 USDC - $9.82

Labels

bug
grade-a
QA (Quality Assurance)
edited-by-warden
Q-74

External Links

Link to GitHub issue

[L-01] Missing functionality to withdraw funds that sent mistakenly

Description

LendingLedger has a receive() function, but does not have any withdrawal function. Any Manifest mistakenly sent to this contract would be locked.

Line of code affected

https://github.com/code-423n4/2023-08-verwa/blob/main/src/LendingLedger.sol#L209

Recommendation

  1. Add a withdraw functionality in a smart contract or
  2. Write a receive() in a way that send the fund to actual sender (i.e., msg.sender) immediately or
  3. Remove the receive().

[L-02] Missing functionality to verify voting power

Description

VotingEscrow contract lacks any mechanism to verify the voting power of users participating in voting activities. Without the ability to confirm the voting power of users, the contract is susceptible to potential abuse and manipulation, as users may claim false voting power, leading to biased voting outcomes.

Lines of code affected

https://github.com/code-423n4/2023-08-verwa/blob/main/src/VotingEscrow.sol

Recommendation

Implement a algorithm within the contract that accurately calculates and verifies the voting power of each user based on established criteria.

[NC-01] Unused imports

Description

The following source units are imported but not referenced in the contract:

LendingLedger.sol:

import {VotingEscrow} from "./VotingEscrow.sol";

Recommendation

Consider removing this imports.

#0 - c4-judge

2023-08-22T14:14:58Z

alcueca marked the issue as grade-a

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter