Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 23/147
Findings: 5
Award: $1,040.98
๐ Selected for report: 0
๐ Solo Findings: 0
๐ Selected for report: GalloDaSballo
347.2615 DAI - $347.26
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Heart.sol#L106
If there are insufficient rewards remaining in the contract, _issueReward() will fail to transfer and thus beat() cannot be called. Again, there is an assumption that there will always be sufficient rewards in the contract but it is prudent to not assume otherwise.
Transfer the minimum between the amount of reward to be paid and the token balance of the contract i.e.
function min(uint256 a, uint256 b) internal returns (uint256) { if(a < b) return a; return b; } function _issueReward(address to_) internal { uint256 balance = rewardToken.balanceOf(address(this)); uint256 amt = min(balance, reward); rewardToken.safeTransfer(to_, amt); emit RewardIssued(to_, amt); }
#0 - Oighty
2022-09-07T20:37:39Z
See comment on #390.
#1 - Oighty
2022-09-07T20:44:00Z
See comment on #378 as well.
#2 - 0xean
2022-09-19T14:35:09Z
closing as duplicate of #378
๐ Selected for report: hansfriese
514.4616 DAI - $514.46
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/RANGE.sol#L97-L98
If cushion spread is > wall spread, the entire contracts are bricked because it operates on the assumption that the cushion spread is strictly less than wall spread. Do note that this is only a problem in the constructor i.e. the setSpreads() function contains this validation check.
Require that the cushion spread is < wall spread.
#0 - Oighty
2022-09-07T21:37:08Z
See comment on #379
#1 - 0xean
2022-09-19T14:18:35Z
closing as dupe of #379 379
11.0311 DAI - $11.03
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/PRICE.sol#L167 https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/PRICE.sol#L173
It is possible that an incorrect value for currentPrice is used when latestRoundData() is called because no validation is done on the roundId and that price cannot be 0. Do note that the impact is somewhat minimized because a simple moving average is used but it is still prudent to add these validation checks to ensure that the protocol reflects the most up-to-date and correct price for OHMv2 and the reserve token.
check that the roundId is increasing and that price is > 0.
#0 - Oighty
2022-09-06T18:55:10Z
Duplicate. See comment on #441.
๐ Selected for report: rvierdiiev
Also found by: Jeiwan, Lambda, Trust, datapunk, devtooligan, itsmeSTYJ, zzzitron
113.9192 DAI - $113.92
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Heart.sol#L103
It is possible to call beat() multiple times consecutively because lastBeat is not correctly tracked.
Assume the current timestamp is 1000 and the observation frequency is 100. beat() is called once and lastBeat is updated to 1100 which is correct. Assume that 323 seconds have passed i.e. the current time is now 1423. It is now possible to call beat() another 4 more times since lastBeat is always incremented by observation frequency.
Replace lastBeat += frequency(); with lastBeat = block.timestamp + frequency();
#0 - Oighty
2022-09-07T21:03:38Z
See comment on #405 and #79.
#1 - 0xean
2022-09-19T13:28:05Z
closing as dupe of #79
๐ Selected for report: zzzitron
Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas
54.3128 DAI - $54.31
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/PRICE.sol#L32-L33
Should anything happen to chainlink oracles e.g. pausing of price feed, error in configuration or even when gas prices are too high, the protocolโs functionality would be halted as there are no fallback oracles to rely on.
#0 - Oighty
2022-09-06T18:59:06Z
We recognize this as a potential issue, but there are no additional oracle sources that are sufficient for our uses currently. We anticipate revisiting this after some protocol level decisions are implemented with respect to the primary liquidity pools for OHM.
Currently, mitigations are in place to prevent loss of funds by reverting stale price feed calls (which are going to be improved upon per #441, et al).
#1 - 0xean
2022-09-16T18:54:06Z
downgrading to QA.