Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 40/111
Findings: 2
Award: $357.36
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: catellatech
341.4422 USDC - $341.44
The library prb-math v3.3.2 documents that it is not audited by a security researcher. This means its more risky to rely on this library.
{ "name": "@prb/math", "description": "Solidity library for advanced fixed-point math", "version": "3.3.2",
prb-math v3.3.2 is being used.
While I set a high bar for code quality and test coverage, you should not assume that this project is completely safe to use. PRBMath has not yet been audited by a third-party security researcher.
prb-math v3.3.2 not audited Some issues:
pow is used in TierCalculationLib.getTierOdds and DrawAccumulatorLib.computeC.Common.prbExp2: duplicated bitmasks - According to ref :File: prb-math/src/Common.sol 413: if (x & 0xFF00000000 > 0) { 440: if (x & 0xFF00000000 > 0) {
The bit masks used on Line 413 and Line 440 in Common.sol are the same, i.e. 0xFF00000000. The latter should have two fewer zeroes.
Manual Review
prb-math v3.3.2 may break the project's computational protocolsprb-math will add a new directory "audits" with PDF references to the audits performed by Cantina.prb-math V4 after being audited.Math
#0 - c4-judge
2023-07-18T18:23:35Z
Picodes marked the issue as duplicate of #423
#1 - c4-judge
2023-08-05T21:56:53Z
Picodes marked the issue as satisfactory
🌟 Selected for report: bin2chen
Also found by: 0x11singh99, 0xWaitress, 0xbepresent, ABAIKUNANBAEV, ArmedGoose, Bauchibred, DadeKuma, GREY-HAWK-REACH, GalloDaSballo, Inspecktor, Jeiwan, Kaysoft, MohammedRizwan, Rolezn, Vagner, alexzoid, alymurtazamemon, ayden, banpaleo5, catellatech, dacian, erebus, eyexploit, fatherOfBlocks, grearlake, joaovwfreire, keccak123, kutugu, lanrebayode77, markus_ether, nadin, naman1778, rvierdiiev, squeaky_cactus, volodya, yixxas
15.9228 USDC - $15.92
Total 02 Low and 07 Non-Critical
Vault.sol , _currentExchangeRate() should change the code to be more compact0.8.19 is the latest version of Solidity, which "contains a fix for a long-standing bug that can result in code that is only used in creation code to also be included in runtime bytecode". To be more secured and more future-proofed, please consider using Version 0.8.19 for the following contracts.Vault.sol , _currentExchangeRate() should change the code to be more compactFile: Vault.sol 1178: if (_withdrawableAssets > _totalSupplyToAssets) { 1179: _withdrawableAssets = _withdrawableAssets - (_withdrawableAssets - _totalSupplyToAssets); // @audit _withdrawableAssets = _totalSupplyToAssets
draft-ERC20Permit.sol is deprecated as EIP-2612 is final as of 2022-11-01.Consider using the latest version of the OpenZeppelin ERC20Permit contract.
File: Vault.sol --- 5: import { ERC20Permit, IERC20Permit } from "openzeppelin/token/ERC20/extensions/draft-ERC20Permit.sol"; +++ 5: import { ERC20Permit, IERC20Permit } from "openzeppelin/token/ERC20/extensions/ERC20Permit.sol";
Using the more updated version of Solidity can enhance security. As described in https://github.com/ethereum/solidity/releases, Version 0.8.19 is the latest version of Solidity, which "contains a fix for a long-standing bug that can result in code that is only used in creation code to also be included in runtime bytecode". To be more secured and more future-proofed, please consider using Version 0.8.19 for the following contracts.
CONTEXTS: ALL CONTRACTS
The highest tier of smart contract behavior assurance is formal mathematical verification. All assertions that are made are guaranteed to be true across all inputs → The quality of your asserts is the quality of your verification
https://twitter.com/0xOwenThurm/status/1614359896350425088?t=dbG9gHFigBX85Rv29lOjIQ&s=19
File: TieredLiquidityDistributor.sol 205: mapping(uint8 => Tier) internal _tiers;
TieredLiquidityDistributor.sol#L205
File: DrawAccumulatorLib.sol 49: mapping(uint256 => Observation) observations;
File: PrizePool.sol 202: mapping(address => DrawAccumulatorLib.Accumulator) internal vaultAccumulator; 206: mapping(address => mapping(address => mapping(uint16 => mapping(uint8 => mapping(uint32 => bool))))) 210: mapping(address => uint256) internal claimerRewards;
File: TwabController.sol 36: mapping(address => mapping(address => TwabLib.Account)) internal userObservations; 39: mapping(address => TwabLib.Account) internal totalSupplyObservations; 42: mapping(address => mapping(address => address)) internal delegates;
File: Vault.sol 236: mapping(address => VaultHooks) internal _hooks;
File: VaultFactory.sol 36: mapping(Vault => bool) public deployedVaults;
Consider using named parameters in mappings (e.g. mapping(address account => uint256 balance)) to improve readability. This feature is present since Solidity 0.8.18 Cases already listed in N-05
There are many addresses and constants used in the system. It is recommended to put the most used ones in one file (for example constants.sol, use inheritance to access these values).
This will help with readability and easier maintenance for future changes. This also helps with any issues, as some of these hard-coded values are admin addresses.
Use and import this file in contracts that require access to these values. This is just a suggestion, in some use cases this may result in higher gas usage in the distribution.
#0 - c4-judge
2023-07-18T19:15:07Z
Picodes marked the issue as grade-b