Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 79/101
Findings: 1
Award: $33.58
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
33.5762 USDC - $33.58
ADDRESS(0X0)Â WHEN ASSIGNING VALUES TOÂ ADDRESSÂ STATE VARIABLESZero-address checks are a best practice for input validation of critical address parameters. While the codebase applies this to most cases, there are many places where this is missing in constructors and setters.
Impact: Accidental use of zero-addresses may result in exceptions, burn fees/tokens, or force redeployment of contracts.
Findings
SimpleFeiDaiPSM.sol
L34 - to can be address(0)
L49 - to can be address(0)
RariMerkleRedeemer.sol
L124 - _cTokens can be address(0)
L137 - _cTokens can be address(0)
L166 - _cTokens can be address(0)
L186 - _cTokens can be address(0)
L201 - cToken can be address(0)
TribeRedeemer.sol
L32 - _redeemedToken can be address(0)
L33 - _tokensReceived can be address(0)
L64 - to can be address(0)
Add zero-address checks, e.g.:
require(`address` != address(0), "Zero-address");
The same token addresses can be entered by mistake, it does not revert if this happens.
RariMerkleRedeemer.sol
L124 - _cTokens
L137 - _cTokens
L186 - _cTokens
Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
https://swcregistry.io/docs/SWC-103
Findings
SimpleFeiDaiPSM.sol pragma solidity ^0.8.4;
TribeRedeemer.sol pragma solidity ^0.8.4;
Recommended Mitigation Steps
Lock the pragma version to the same version as used in the other contracts and also consider known bugs (https://github.com/ethereum/solidity/releases) for the compiler version that is chosen.
Pragma statements can be allowed to float when a contract is intended for consumption by other developers, as in the case with contracts in a library or EthPM package. Otherwise, the developer would need to manually update the pragma in order to compile it locally.
tokensReceivedOn the TribeRedeemer contract, there is not setter function on the tokensReceived address. This can cause misfunctionality on the TribeRedeemer contract.
Navigate to contract:Â
tokensReceived address is set on the constructor.
Setter function is missing on the contract. Misdeployed contract can cause failure of tokensReceived integration.
Consider adding setter function for tokensReceived