Platform: Code4rena
Start Date: 21/12/2021
Pot Size: $30,000 USDC
Total HM: 20
Participants: 20
Period: 5 days
Judge: Jack the Pug
Total Solo HM: 13
Id: 70
League: ETH
Rank: 10/20
Findings: 3
Award: $390.23
🌟 Selected for report: 3
🚀 Solo Findings: 0
🌟 Selected for report: TomFrenchBlockchain
116.4719 USDC - $116.47
pauliax
functions mint and burn of USDV should allow the user to specify min amounts to receive. This would help the user to avoid a huge slippage. Another reason is that price is fetched from lbt but this address can be changed anytime (function setLBTwap), so in theory users can be frontrunned and a malicious lbt injected.
To enhance the protection of users, I suggest adding slippage tolerance parameters to the aforementioned functions.
#0 - jack-the-pug
2022-03-13T06:31:44Z
Dup #2
26.2062 USDC - $26.21
pauliax
Consider introducing a reasonable upper limit for vaderPairs length, because it could grow too big to fit in the block limits and there is no way to remove it. This will make functions that iterate over all the pairs fail.
for (uint256 i; i < totalPairs; ++i)
There are several possible mitigation steps. You can introduce an upper limit. Or you can add a removal function. Or you can use something like EnumerableSet to store pairs, but this will increase the gas usage: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/structs/EnumerableSet.sol
#0 - SamSteinGG
2021-12-27T10:28:21Z
There can be no hard limit as block gas limits and gas cost fluctuate.
#1 - jack-the-pug
2022-03-13T14:51:17Z
Dup #110
🌟 Selected for report: TomFrenchBlockchain
pauliax
function mint of USDV skips 24 hour limit check when cycleTimestamp is advanced:
if (cycleTimestamp <= block.timestamp) { cycleTimestamp = block.timestamp + 24 hours; cycleMints = uAmount; } else { cycleMints += uAmount; require( cycleMints <= dailyLimit, "USDV::mint: 24 Hour Limit Reached" ); }
An owner can set any dailyLimit (function setDailyLimit), so there could be a situation when the initial mint on that day is exceeding the limit.
Proposed solution:
if (cycleTimestamp <= block.timestamp) { cycleTimestamp = block.timestamp + 24 hours; cycleMints = uAmount; } else { cycleMints += uAmount; } require( cycleMints <= dailyLimit, "USDV::mint: 24 Hour Limit Reached" );
#0 - 0xstormtrooper
2021-12-27T08:18:45Z
🌟 Selected for report: pauliax
143.7924 USDC - $143.79
pauliax
function _addUSDVPair does not check if the foreignAsset does not exist yet, thus it is possible to override it.
Make sure this is the intended behavior or else add validations, e.g.
require(pairData.updatePeriod == 0, "...");
🌟 Selected for report: pauliax
Also found by: Dravee, Jujic, Meta0xNull, robee
7.5338 USDC - $7.53
pauliax
Shortening revert strings to fit in 32 bytes will decrease deployment time gas and will decrease runtime gas when the revert condition has been met. Some examples:
require( answeredInRound >= roundID, "LBTWAP::getChainlinkPrice: Stale Chainlink Price" ); require(price > 0, "LBTWAP::getChainlinkPrice: Chainlink Malfunction");
🌟 Selected for report: pauliax
57.4139 USDC - $57.41
pauliax
2**32 can be pre-calculated and stored in a constant to reduce gas costs:
uint32 blockTimestamp = uint32(block.timestamp % 2**32);