Back to ladboy233's contests

Mimo August 2022 contest - ladboy233's results

Bridging the chasm between the DeFi world and the world of regulated financial institutions.

General Information

Platform: Code4rena

Start Date: 02/08/2022

Pot Size: $50,000 USDC

Total HM: 12

Participants: 69

Period: 5 days

Judge: gzeon

Total Solo HM: 5

Id: 150

League: ETH

Mimo DeFi

Findings Distribution

Researcher Performance

Rank: 45/69

Findings: 2

Award: $106.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMimo DeFi

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xc0ffEE, 8olidity, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, Funen, JC, JohnSmith, NoamYakov, ReyAdmirado, Rohan16, Rolezn, Sm4rty, SooYa, TomFrenchBlockchain, TomJ, Waze, __141345__, ajtra, ak1, aysha, bin2chen, bobirichman, brgltd, bulej93, c3phas, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, horsefacts, hyh, ladboy233, mics, natzuu, nxrblsrpr, oyc_109, rbserver, samruna, sikorico, simon135, tofunmi, wagmi

Awards

67.5073 USDC - $67.51

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Missing 0 address check in the constructor.

https://github.com/code-423n4/2022-08-mimo/blob/eb1a5016b69f72bc1e4fd3600a65e908bd228f13/contracts/actions/MIMOEmptyVault.sol#L25

  constructor(
    IAddressProvider _a,
    IDexAddressProvider _dexAP,
    IPool _lendingPool,
    IMIMOProxyRegistry _proxyRegistry
  ) MIMOFlashloan(_lendingPool) MIMOSwap(_a, _dexAP) {
    if (address(_proxyRegistry) == address(0)) {
      revert CustomErrors.CANNOT_SET_TO_ADDRESS_ZERO();
    }
    proxyRegistry = _proxyRegistry;
  }

can add zero address for _a, _dexAp, and _lendingPool.

https://github.com/code-423n4/2022-08-mimo/blob/eb1a5016b69f72bc1e4fd3600a65e908bd228f13/contracts/actions/MIMOLeverage.sol#L25

  constructor(
    IAddressProvider _a,
    IDexAddressProvider _dexAP,
    IPool _lendingPool,
    IMIMOProxyRegistry _proxyRegistry
  ) MIMOFlashloan(_lendingPool) MIMOSwap(_a, _dexAP) {
    if (address(_proxyRegistry) == address(0)) {
      revert CustomErrors.CANNOT_SET_TO_ADDRESS_ZERO();
    }
    proxyRegistry = _proxyRegistry;
  }

can add zero address for _a, _dexAp, and _lendingPool.

https://github.com/code-423n4/2022-08-mimo/blob/eb1a5016b69f72bc1e4fd3600a65e908bd228f13/contracts/actions/MIMORebalance.sol#L25

  constructor(
    IAddressProvider _a,
    IDexAddressProvider _dexAP,
    IPool _lendingPool,
    IMIMOProxyRegistry _proxyRegistry
  ) MIMOFlashloan(_lendingPool) MIMOSwap(_a, _dexAP) {
    if (address(_proxyRegistry) == address(0)) {
      revert CustomErrors.CANNOT_SET_TO_ADDRESS_ZERO();
    }
    proxyRegistry = _proxyRegistry;
  }

can add zero address for _a, _dexAp, and _lendingPool.

Findings Information

🌟 Selected for report: Dravee

Also found by: 0x040, 0x1f8b, 0xDjango, 0xNazgul, 0xSmartContract, 0xc0ffEE, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, Fitraldys, Funen, IllIllI, JC, JohnSmith, NoamYakov, ReyAdmirado, Rolezn, TomJ, Waze, ajtra, bearonbike, bobirichman, brgltd, c3phas, durianSausage, fatherOfBlocks, gogo, ignacio, jag, joestakey, ladboy233, mics, oyc_109, rbserver, samruna, sikorico, simon135

Awards

39.2722 USDC - $39.27

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

collateralBalanceAfter - flashloanRepayAmount can cached.

https://github.com/code-423n4/2022-08-mimo/blob/eb1a5016b69f72bc1e4fd3600a65e908bd228f13/contracts/actions/MIMOLeverage.sol#L132

    if (collateralBalanceAfter > flashloanRepayAmount) {
      token.safeIncreaseAllowance(address(core), collateralBalanceAfter - flashloanRepayAmount);
      core.deposit(address(token), collateralBalanceAfter - flashloanRepayAmount);
    }

collateralBalanceAfter - flashloanRepayAmount appear twices. We can cache the balance difference.

uint256 balanceDifference = collateralBalanceAfter - flashloanRepayAmount

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter