Platform: Code4rena
Start Date: 11/11/2022
Pot Size: $90,500 USDC
Total HM: 52
Participants: 92
Period: 7 days
Judge: LSDan
Total Solo HM: 20
Id: 182
League: ETH
Rank: 84/92
Findings: 1
Award: $52.03
š Selected for report: 0
š Solo Findings: 0
š Selected for report: 0xSmartContract
Also found by: 0x4non, 0xNazgul, 0xRoxas, 0xdeadbeef0x, 0xmuxyz, 9svR6w, Awesome, Aymen0909, B2, Bnke0x0, CloudX, Deivitto, Diana, Franfran, IllIllI, Josiah, RaymondFam, ReyAdmirado, Rolezn, Sathish9098, Secureverse, SmartSek, Trust, Udsen, a12jmx, aphak5010, brgltd, bulej93, c3phas, ch0bu, chaduke, chrisdior4, clems4ever, cryptostellar5, datapunk, delfin454000, fs0c, gogo, gz627, hl_, immeas, joestakey, lukris02, martin, nogo, oyc_109, pashov, pavankv, peanuts, pedr02b2, rbserver, rotcivegaf, sahar, sakman, shark, tnevler, trustindistrust, zaskoh, zgo
52.0338 USDC - $52.03
Code architecture, incentives, and error handling/reporting questions/issues should be resolved before deployment,
// updateAccruedETHPerShares() - Syndicate.sol } else { // todo - check else case for any ETH lost }
// LiquidStakingManager.sol // LSDNFactory.sol // GiantLP.sol // ETHPoolLPFactory.sol pragma solidity ^0.8.13; // Syndicate.sol pragma solidity 0.8.13;
Currently contracts are using 0.8.13 (or ^0.8.13) which has known bugs. See solidity releases.
First instance: The following check, as stated by the comment, is checking if the BLS public key is part of LSD network and is not banned.
// LiquidStakingManager.sol require(isBLSPublicKeyPartOfLSDNetwork(_blsPublicKey) == false, "BLS public key is banned or not a part of LSD network"); // should be: BLS public key is banned or already part of LSD network
Second instance:
Considering the definition of isBLSPublicKeyBanned() in LiquidStakingManager, this is checking whether the BLS public key is banned or not part of the LSD network.
// SavEthVault.sol require(liquidStakingManager.isBLSPublicKeyBanned(_blsPublicKeyOfKnots[i]) == false, "BLS public key is not part of LSD network"); // should be: BLS public key is banned or not part of LSD network
As a public function, it can be used by external dev/smart contracts which could rely on the name to build a specific logic.
The following function is checking whether the BLSPublicKey is banned or part of the LSDNetwork.
function isBLSPublicKeyBanned(bytes calldata _blsPublicKeyOfKnot) public virtual view returns (bool) { return !isBLSPublicKeyPartOfLSDNetwork(_blsPublicKeyOfKnot) || bannedBLSPublicKeys[_blsPublicKeyOfKnot] != address(0); } // Proposition: isBLSPublicKeyBannedOrNotPartOfLSDNetwork()
Multiple functions have an incomplete NetSpec.
Example: deployNewLiquidStakingDerivativeNetwork in LSDNFactory.sol is missing the _optionalCommission param.
/// @notice Deploys a new LSDN and the liquid staking manger required to manage the network /// @param _dao Address of the entity that will govern the liquid staking network /// @param _stakehouseTicker Liquid staking derivative network ticker (between 3-5 chars) function deployNewLiquidStakingDerivativeNetwork( address _dao, uint256 _optionalCommission, bool _deployOptionalHouseGatekeeper, string calldata _stakehouseTicker ) public returns (address) {
CurrentStamp is declared at line 122 in SavEthVault.sol. Conisider moving the declaration line 23.
#0 - c4-judge
2022-12-02T19:46:46Z
dmvt marked the issue as grade-b