Platform: Code4rena
Start Date: 27/01/2022
Pot Size: $75,000 USDC
Total HM: 10
Participants: 26
Period: 7 days
Judge: pauliax
Total Solo HM: 5
Id: 81
League: ETH
Rank: 12/26
Findings: 4
Award: $614.57
π Selected for report: 1
π Solo Findings: 0
π Selected for report: cmichel
Also found by: 0x1f8b, TomFrenchBlockchain, UncleGrandpa925, WatchPug, defsec, leastwood, pauliax, sirhashalot
pauliax
EIP1271Wallet.sol is calling latestAnswer to get the last price:
uint256 oraclePrice = _toUint( AggregatorV2V3Interface(priceOracle).latestAnswer() );
This method will return the last value, but you wonβt be able to check if the data is fresh. On the other hand, calling the method latestRoundData allow you to run some extra validations:
( roundId, rawPrice, , updateTime, answeredInRound ) = AggregatorV2V3Interface(priceOracle).latestRoundData(); require(rawPrice > 0, "Chainlink price <= 0"); require(updateTime != 0, "Incomplete round"); require(answeredInRound >= roundId, "Stale price");
See the chainlink documentation for more information: https://docs.chain.link/docs/faq/#how-can-i-check-if-the-answer-to-a-round-is-being-carried-over-from-a-previous-round
Consider using latestRoundData with validations against stale data.
#0 - jeffywu
2022-02-06T14:21:43Z
Duplicate of #178
#1 - pauliax
2022-02-12T12:22:08Z
A duplicate of #197
π Selected for report: WatchPug
Also found by: TomFrenchBlockchain, UncleGrandpa925, cmichel, hyh, pauliax
pauliax
Consider adding a configurable slippage parameter here to prevent users suffering from sandwitch bots:
minAmountsOut[0] = 0; minAmountsOut[1] = 0; IVault.ExitPoolRequest( ... minAmountsOut
and (used in both sNOTE and TreasuryManager contracts):
IVault.JoinPoolRequest( ... 0 // Accept however much BPT the pool will give us )
Accepting any amounts makes it a good target for the mempool beasts lurking to extract the value from regular users.
Consider making these slippage parameters configurable, so they can be tightened if you notice this being exploited.
#0 - jeffywu
2022-02-06T14:20:51Z
Duplicate of #181
#1 - pauliax
2022-02-13T10:24:02Z
A duplicate of #181
π Selected for report: pauliax
Also found by: Jujic, ShippooorDAO, SolidityScan, WatchPug, gzeon, samruna, throttle
10.4991 USDC - $10.50
pauliax
Unused state variables:
uint256 public constant BPT_TOKEN_PRECISION = 1e18; uint256 internal constant ETH_PRECISION = 1e18; uint32 public refundGasPrice;
Either remove them or use them where intended.
#0 - pauliax
2022-02-15T08:34:56Z
This issue mentions all the 3 state variables that can be safely removed, so I am making this a primary issue and grouping all the issues related to unused variables together.
79.0235 USDC - $79.02
pauliax
In function _redeemAndTransfer this is repeated twice:
if (underlying.tokenAddress == address(0)) { ... } address underlyingAddress = underlying.tokenAddress == address(0) ...
You should cache and re-use it to avoid repeated calculations.
#0 - pauliax
2022-02-15T14:04:56Z
#213