Platform: Code4rena
Start Date: 08/06/2022
Pot Size: $115,000 USDC
Total HM: 26
Participants: 72
Period: 11 days
Judge: leastwood
Total Solo HM: 14
Id: 132
League: ETH
Rank: 62/72
Findings: 1
Award: $141.82
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: BowTiedWardens
Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Chom, ElKu, Funen, IllIllI, JMukesh, Jujic, Kaiziron, Lambda, MiloTruck, Ruhum, SmartSek, SooYa, TerrierLover, TomJ, WatchPug, Waze, _Adam, asutorufos, auditor0517, bardamu, c3phas, catchup, cccz, ch13fd357r0y3r, cloudjunky, cmichel, cryptphi, csanuragjain, defsec, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, k, kenta, obtarian, oyc_109, robee, sach1r0, shenwilly, simon135, slywaters, sorrynotsorry, tintin, unforgiven, xiaoming90, zzzitron
141.8225 USDC - $141.82
AssetLogic._swapAsset() description has no mention of the _slippageTol argument:
/** * @notice Swaps assetIn t assetOut using the stored stable swap or internal swap pool * @dev Will not swap if the asset passed in is the adopted asset * @param _canonicalId - The canonical token id * @param _assetIn - The address of the from asset * @param _assetOut - The address of the to asset * @param _amount - The amount of the local asset to swap * @return The amount of assetOut * @return The address of assetOut */ function _swapAsset( bytes32 _canonicalId, address _assetIn, address _assetOut, uint256 _amount, uint256 _slippageTol ) internal returns (uint256, address) {
As an example:
/** * @param _amount - The amount of the local asset to swap * @param _slippageTol - Slippage tolerance * @return The amount of assetOut */
The success return value is omitted:
/** * @notice Swaps assetIn t assetOut using the stored stable swap or internal swap pool * @dev Will not swap if the asset passed in is the adopted asset * @param _canonicalId - The canonical token id * @param _assetIn - The address of the from asset * @param _assetOut - The address of the to asset * @param _amountOut - The amount of the _assetOut to swap * @return The amount of assetIn * @return The address of assetOut */ function _swapAssetOut(
As an example:
* @return Success value * @return The amount of assetIn
Open TODO comments that require some decisions to be made and then code completion:
// TODO: Should we call approve(0) and approve(totalRepayAmount) instead? or with a try catch to not affect gas on all cases? // Example: https://github.com/aave/aave-v3-periphery/blob/ca184e5278bcbc10d28c3dbbc604041d7cfac50b/contracts/adapters/paraswap/ParaSwapRepayAdapter.sol#L138-L140 SafeERC20.safeIncreaseAllowance(IERC20(adopted), s.aavePool, totalRepayAmount);
Also:
// TODO: do we need to keep this bytes32 details = action.detailsHash(); IBridgeToken(token).setDetailsHash(details);
Consider removing all TODO comments with the corresponding code amendments (i.e. fix, won't fix, etc) before release as they are relevant to the development process only.
#0 - liu-zhipeng
2022-06-30T13:30:17Z
1), 2) fixed
#1 - jakekidd
2022-07-02T01:32:16Z
slippageTol argument. It seems that the auditor was somehow looking at the wrong branch.Regardless, it was a good find, and seems to have helped us?? ^ lol, I'm okay with keeping this for that reason