Platform: Code4rena
Start Date: 07/04/2023
Pot Size: $47,000 USDC
Total HM: 20
Participants: 120
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 4
Id: 230
League: ETH
Rank: 71/120
Findings: 1
Award: $31.00
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: AkshaySrivastav
Also found by: 0x5rings, 0xbepresent, ABA, Bauchibred, BenRai, DadeKuma, ElKu, RaymondFam, Rolezn, adriro, btk, chaduke, devscrooge, dingo2077, minhtrng, nemveer, p0wd3r, rbserver, ulqiorra
30.9954 USDC - $31.00
PrivatePool.sol L211
function buy(uint256[] calldata tokenIds, uint256[] calldata tokenWeights, MerkleMultiProof calldata proof) { ... emit Buy(tokenIds, tokenWeights, netInputAmount, feeAmount, protocolFeeAmount, royaltyFeeAmount); }
The buy function does not check if tokenIds is empty. If it is empty, the function will continue to execute and eventually emit an event that has no effect and should not be emitted.
The sell and change functions have the same issue.
PrivatePool.sol L750
function flashFee(address, uint256) public view returns (uint256) { return changeFee; }
PrivatePool.sol L34
import {IERC3156FlashBorrower} from "openzeppelin/interfaces/IERC3156FlashLender.sol";
It only use IERC3156FlashBorrower, other functions in IERC3156FlashLender.sol are not used.
#0 - c4-judge
2023-05-01T08:50:31Z
GalloDaSballo marked the issue as grade-c
#1 - GalloDaSballo
2023-05-05T09:09:59Z
3R
#2 - GalloDaSballo
2023-05-05T09:10:30Z
Barely made it, 4L 3R
#3 - c4-judge
2023-05-05T09:10:36Z
GalloDaSballo marked the issue as grade-b