Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 21/101
Findings: 1
Award: $34.50
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
34.5035 USDC - $34.50
we recommand the protocol add HasNotSign modifier to the function sign and claim.
function signAndClaim( bytes calldata signature, address[] calldata cTokens, uint256[] calldata amounts, bytes32[][] calldata merkleProofs ) external override nonReentrant { // both sign and claim/multiclaim will revert on invalid signatures/proofs _sign(signature); _multiClaim(cTokens, amounts, merkleProofs); }
Currently the project use both forge and hardhat to implement test, we recommand the protocol to use one consistent test framework to avoid the code maintance workload and integration test workload.
https://github.com/code-423n4/2022-09-tribe/blob/main/contracts/shutdown/redeem/TribeRedeemer.sol
https://docs.soliditylang.org/en/v0.8.15/natspec-format.html
Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value
the TribeRedeemer.sol, simpleFeiDaiPSM.sol and MultiMerkleRedeemer.sol
use the solidity version
pragma solidity ^0.8.4;
MerkleRedeemerDripper use solidty version
pragma solidity =0.8.10;
while other contract use
pragma solidity ^0.8.4;
we recommand the protocol to use the same solidity version.
Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
https://swcregistry.io/docs/SWC-103
the TribeRedeemer.sol, simpleFeiDaiPSM.sol and MultiMerkleRedeemer.sol
use the solidity version
pragma solidity ^0.8.4;
in RariMerkleReemer.sol
function _configureExchangeRates(address[] memory _cTokens, uint256[] memory _exchangeRates) internal {
function _configureMerkleRoots(address[] memory _cTokens, bytes32[] memory _roots) internal {
function _configureBaseToken(address _baseToken) internal {
is missing event emit.