Platform: Code4rena
Start Date: 01/08/2022
Pot Size: $50,000 USDC
Total HM: 26
Participants: 133
Period: 5 days
Judge: Jack the Pug
Total Solo HM: 6
Id: 151
League: ETH
Rank: 64/133
Findings: 1
Award: $62.71
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Lambda
Also found by: 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xNineDec, 0xSmartContract, 0xSolus, 0xf15ers, 0xkatana, 0xsolstars, 8olidity, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Funen, GalloDaSballo, Guardian, IllIllI, JC, Jujic, MEP, Noah3o6, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, Soosh, Throne6g, TomJ, Tomio, TrungOre, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, arcoun, asutorufos, ayeslick, benbaessler, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, codexploder, cryptonue, cryptphi, defsec, delfin454000, dipp, djxploit, erictee, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hyh, ignacio, indijanc, joestakey, kaden, mics, minhquanym, neumo, obront, oyc_109, p_crypt0, pfapostol, poirots, rbserver, robee, rokinot, rotcivegaf, sach1r0, saian, samruna, saneryee, scaraven, sikorico, simon135, sseefried, supernova
62.7082 USDC - $62.71
totalLent mismatch across contractsAccording to the documentation:
Note that you cannot submit a project with no total budget. Therefore it requires at least one task with a budget > 0
It is however possible to call Community.publishProject() for a project with no budget
Low
In publishProject(), there is no check that the project in question has a budget or tasks added to it.
Manual Analysis
Add the following line to publishProject():
require(_projectInstance.projectCost() > 0, "Community:project has no total budget");
totalLent mismatch across contractsThere is a mismatch across contracts between the totalLent variables keeping track of the total amount lent to a project:
Community.sol, _communities[_communityID].projectDetails[_project].totalLent does not take into account Project.totalLent. This does not lead to any loss of funds as there are checks in Project.sol, but this can be misleading for anyone calling Community.projectDetails, as the _communityProject.totalLent return value may not match Project.totalLent, ie the real amount lent to a project.Manual Analysis
421: _communities[_communityID] 422: .projectDetails[_project] -423: .totalLent += _amountToProject; +423: .totalLent = _projectInstance.totalLent()+ _amountToProject;
The comment describing the revert condition of the first check in Project.lendToProject does not exactly match the revert condition
Low
For two conditions A and B, there is the equivalence:
!(!A || B) <=> (A && !B)
We can hence rewrite this require statement as:
if (restrictedToAdmin && _sender != homeFi.admin()
which reverts if the community creation is paused and sender is not HomeFi admin.
The former comment is a bit misleading because the or makes it sound as if only the homeFi admin can call createCommunity().
Manual Analysis
-// Revert if community creation is paused or sender is not HomeFi admin +// Revert if community creation is paused and sender is not HomeFi admin