Platform: Code4rena
Start Date: 24/10/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 147
Period: 6 days
Judge: 0xDjango
Id: 299
League: ETH
Rank: 123/147
Findings: 1
Award: $4.52
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xmystery
Also found by: 0x11singh99, 0xAadi, 0xAlix2, 0xG0P1, 0xStalin, 0xWaitress, 0x_Scar, 0xhacksmithh, 0xhunter, 0xpiken, Al-Qa-qa, Arz, Avci, Bauchibred, BeliSesir, Breeje, Bughunter101, DarkTower, Eeyore, Fitro, HChang26, Imlazy0ne, J4X, JCK, Kaysoft, Kral01, Madalad, Mike_Bello90, Noro, PASCAL, PENGUN, Proxy, Rickard, Shubham, SovaSlava, Strausses, Team_Rocket, ThreeSigma, Topmark, Udsen, Walter, Yanchuan, Zach_166, ZanyBonzy, adam-idarrha, adeolu, almurhasan, arjun16, ast3ros, asui, ayden, btk, cartlex_, castle_chain, cccz, chainsnake, codynhat, critical-or-high, cryptonue, csanuragjain, deepkin, degensec, dirk_y, erebus, foxb868, ge6a, hunter_w3b, jasonxiale, kkkmmmsk, lanrebayode77, lsaudit, marchev, matrix_0wl, max10afternoon, nuthan2x, oakcobalt, oxchsyston, pavankv, peanuts, pep7siup, pipidu83, pontifex, ptsanev, qpzm, radev_sw, rokinot, rotcivegaf, rvierdiiev, sorrynotsorry, squeaky_cactus, supersizer0x, tnquanghuy0512, twcctop, twicek, young, zhaojie, ziyou-
4.5226 USDC - $4.52
_to address in the mint functionIn the mint function in contract USDe.sol there is no address(0) check to ensure that USDe is not minted to the zero address, which is basically burning the intended tokens to mint.
function mint(address to, uint256 amount) external { if (msg.sender != minter) revert OnlyMinter(); _mint(to, amount); }
in the _grantRole function in SingleAdminAccessControl.sol is used by the DEFAULT_ADMIN_ROLE grant roles to accountsbut does not ensure that the account to grant role is not the zero address before granting rolethis can lead to DoS and loss of gas.
function _grantRole(bytes32 role, address account) internal override { if (role == DEFAULT_ADMIN_ROLE) { emit AdminTransferred(_currentDefaultAdmin, account); _revokeRole(DEFAULT_ADMIN_ROLE, _currentDefaultAdmin); _currentDefaultAdmin = account; delete _pendingDefaultAdmin; } super._grantRole(role, account); }
minting using the mint funntion by MINTER can break the maximun_mint_per_blockAs the there are no checks in the mint function that ensures that the max_mint_per_block is not exceeded. so if there is a direct mint using the mint function in USDe.sol it is very possible that the max_mint_per_block will be exceeded. Adding the belowMaxRedeemPerBlock mordifier to the mint function will eliminate this possible loophole. This will also act as a form of extra security if the MINTER role is breached as it limits the amount of USDe the malicious minter possibly mint in a short time. This also applies to the redeem function in USDe.sol
function mint(address to, uint256 amount) external { if (msg.sender != minter) revert OnlyMinter(); _mint(to, amount); }
See link here
previewRedeem not specified in the codebase.The function previewRedeem is called in the cooldownShares/cooldownAssets functions, which presumably should be used to calculate the conversion of shares to assets to redeem, but this function is not implemented in the codebase in scope and out of scope, which can lead to unintended behaviour in the contract.
function cooldownShares(uint256 shares, address owner) external ensureCooldownOn returns (uint256) { if (shares > maxRedeem(owner)) revert ExcessiveRedeemAmount(); uint256 assets = previewRedeem(shares); cooldowns[owner].cooldownEnd = uint104(block.timestamp) + cooldownDuration; cooldowns[owner].underlyingAmount += assets; _withdraw(_msgSender(), address(silo), owner, assets, shares); return assets; }
#0 - c4-pre-sort
2023-11-02T02:55:18Z
raymondfam marked the issue as low quality report
#1 - c4-pre-sort
2023-11-02T02:55:24Z
raymondfam marked the issue as sufficient quality report
#2 - c4-judge
2023-11-14T16:56:55Z
fatherGoose1 marked the issue as grade-b