Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 41/101
Findings: 1
Award: $33.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
33.5953 USDC - $33.60
constant.DAI.balanceOf(address(this)) is written in multiple places.require statement is described in multiple places.event is not emit when the critical value is set.redeemBase is the denominator for calculating the redeemedAmount, which may be zero as it gets smaller in the redeem function.
Add a require statement to guarantee that redeemBase is not zero.
To prevent unintended behavior, the arguments of these functions should be zero-checked.
Add require statement for zero-checking.
Contracts should be deployed with the same compiler version and flags that have been thoroughly tested.
Lock the pragma version.
The value to emit is correct, but the argument names are seemingly wrong.
/// @notice event emitted when fei gets minted event Mint(address to, uint256 amountIn, uint256 amountFeiOut);
emit Mint(to, amountIn, amountIn);
/// @notice event emitted upon a redemption event Redeem(address to, uint256 amountFeiIn, uint256 amountAssetOut);
emit Redeem(to, amountFeiIn, amountFeiIn);
Appropriate argument names should be used.
amountFeiOut == amountIn, amountFeiIn == amountOut in these functions, so the actual value is correct.
constant.Constants should be named with all capital letters with underscores separating words.
https://docs.soliditylang.org/en/latest/style-guide.html
All capital letters with underscores separating words should be used.
DAI.balanceOf(address(this)) is written in multiple places.Codes writing the same content(DAI.balanceOf(address(this)) in this case) should be unified as much as possible.
/// @notice gets the effective balance of "balanceReportedIn" token if the deposit were fully withdrawn function balance() external view returns (uint256) { return DAI.balanceOf(address(this)); }
and
return (DAI.balanceOf(address(this)), FEI.balanceOf(address(this)));
Change the balance() function to public and write it like this.
return (balance(), FEI.balanceOf(address(this)));
Alternatively, getDaiBalance() and getFeiBalance() can be created separately and incorporated here.
return (getDaiBalance(), getFeiBalance());
In this way, the following code can also be modified.
uint256 feiBalance = FEI.balanceOf(address(this));
require statement is described in multiple places.Codes writing the same content(require(_cTokens.length == 27, "Must provide exactly 27 merkle roots"); in this case) should be unified as much as possible.
It is conceivable to define a modifier.
For completeness and readability, NatSpec for all functions within the contract should be documented whenever possible.
In this contract.
https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/shutdown/fuse/RariMerkleRedeemer.sol
Add NatSpec comment.
event is not emit when the critical value is set.Allow Dapps to detect important changes in storage ,
event should be emit so that Dapps can detect important changes in storage.
This is even more necessary since these are internal functions, not private functions, and can also be called by derived contracts in the future.
Define event and emit.