Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 116/147
Findings: 1
Award: $54.31
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: zzzitron
Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas
54.3128 DAI - $54.31
executeAction()Kernel.sol L251 Kernel.sol L253
No check for 0 address on change executor and change admin instruction. A mistake would lock the contract, unable to take actions. This seems to be used during deployment where such a mistake is super small, and during a governance proposal execution where such a mistake is a bit more likely. The latter however is protected by ensureContract(instruction.target) on storing the instructions in store() INSTR.sol L52. Consider adding ensureContract(target_) in executeAction() for executor and admin if those are meant to be contracts.
OlympusPrice contract are set independentlyIt feels like movingAverageDuration() and observationFrequency() should be modified together because of the divisible check.
Consider scenario:
Current state is duration = 9 and frequency = 3
Instruction to change that to duration = 8 and frequency = 2
This would require 3 instructions:
This seems like a waste of gas, and somewhat confusing instructions in such cases.
Consider combining this into a single function changeMovingAverageParams() to set both parameters.
#0 - 0xLienid
2022-09-09T02:39:14Z
Not worth checking for 0x0 address in permissioned system, and setters are as intended.