Inverse Finance contest - pedr02b2's results

Rethink the way you borrow.

General Information

Platform: Code4rena

Start Date: 25/10/2022

Pot Size: $50,000 USDC

Total HM: 18

Participants: 127

Period: 5 days

Judge: 0xean

Total Solo HM: 9

Id: 175

League: ETH

Inverse Finance

Findings Distribution

Researcher Performance

Rank: 75/127

Findings: 1

Award: $36.73

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Inverse Finance

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: 0xNazgul, 0xSmartContract, Aymen0909, B2, Bnke0x0, Deivitto, Diana, Dinesh11G, ElKu, JC, Josiah, Rahoz, RaymondFam, ReyAdmirado, Rolezn, Waze, __141345__, adriro, aphak5010, brgltd, c3phas, c7e7eff, carlitox477, cducrest, ch0bu, chrisdior4, cryptonue, cryptostellar5, cylzxje, d3e4, delfin454000, enckrish, evmwanderer, fatherOfBlocks, gogo, hansfriese, horsefacts, immeas, leosathya, lukris02, neumo, oyc_109, pedr02b2, rbserver, robee, rotcivegaf, rvierdiiev, sakshamguruji, shark, simon135, tnevler, trustindistrust, wagmi

Awards

36.7345 USDC - $36.73

Labels

bug

QA (Quality Assurance)

grade-b

Q-28

External Links

Link to GitHub issue

Open TODO's/Comments

Removal of these comment before deployment is adviasble

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/escrows/GovTokenEscrow.sol#L56 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/escrows/INVEscrow.sol#L35

Fix Typos

Multiple typos can be found accross the project files

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L589 @param repaidDebt Th amount of user user debt to liquidate. should be @param repaidDebt The amount of user user debt to liquidate. https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/DBR.sol#L128 @notice Get the DBR deficit of an address. Will return 0 if th user has zero DBR or more. should be @notice Get the DBR deficit of an address. Will return 0 if the user has zero DBR or more. https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L48 @dev Even though the price feeds implement the chainlink interface, it's possible to use other price oracle. should be @dev Even though the price feeds implement the chainlink interface, it's possible to use another price oracle. https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/BorrowController.sol#L36 @param deniedContract The addres of the denied contract should be @param deniedContract The address of the denied contract

Declare public function external

These Public functions are never called by the contract and so can be declared as external instead

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/BorrowController.sol#L26 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/BorrowController.sol#L32 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/BorrowController.sol#L38 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/BorrowController.sol#L46

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Fed.sol#L57 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Fed.sol#L66 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Fed.sol#L75 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Fed.sol#L57 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Fed.sol#L66 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Fed.sol#L72

Use openzeppelins ECDSA as appose too ecrecover

Rather than calling on ecrecover() directly like this to verify a signed message, employ the use of a more tried, tested secure Openzeppelin's ECDSA to verify a signed message.

https://docs.openzeppelin.com/contracts/2.x/api/cryptography#ECDSA

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L425 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L486

Lack of address(0) on setter functions

Non of these functions have a (0) address check that set a new address for major parts of the protocol such as gov, oracle etc etc, consider adding this check on all of these fucntions.

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/BorrowController.sol#L26

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Fed.sol#L48 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Fed.sol#L66

Lack of emit/events on setter functions

Funcntions that change or set addrress changes to parts of the protocol such as gov, operator etc do not emit anything or an event upon the change to address, consider adding emits/events to such setter functions this allows for dapps to track changes to memory as well as allows users to know what is happening when a change occurs such a new contract address etc

consider adding for example emit setOracle(_oracle); market.sol line 118

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/BorrowController.sol#L26

Lack of access control check on functions

Market.sol has an onlyGov mdofier but the require statement/check require(msg.sender == gov, "Only gov"); is not used, how ever its is used through FED.sol, employ the same style require checks within these files also.

BorrowController.sol has an onlyOperator mdofier but the require statement/check require(msg.sender == operator, "Only operator"); is not used

DBR.sol has an onlyOperator mdofier but the require statement/check require(msg.sender == operator) is not used

Oracle.sol has an onlyOperator mdofier but the require statement/check require(msg.sender == operator) is not used

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L44 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L53 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L61

Use 10**4 instead of 10000

All of the following lines of code make use of exactly the same literal value, consider saving this value as a constant, may also help if you want to update all of these values at once at any time you could just update the constant, as they all seem to require the same value input anyway.

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L95 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L98 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L134 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L137

Split && statement for readability

split this && statement and devs notes, not only to save a little gas on functions but also for readability, for instance... so that all lines of code conform to solidity standards of 120 chars per line, or devs comments can all be seen at once rather than having to scroll across the page to see the end of the sentence in tools such as vscode. (which is apparent in some instances)

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L75 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L162 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L173 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L184 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L195

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Fed.sol#L99

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/escrows/GovTokenEscrow.sol#L16

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/escrows/INVEscrow.sol#L25

Solidity layout practices

Some of the files within the project do not conform to the solidity layout practices consider rearanging the layout of function, events etc to conform

https://docs.soliditylang.org/en/v0.8.16/style-guide.html#order-of-layout https://docs.soliditylang.org/en/v0.8.16/style-guide.html#maximum-line-length

Inside each contract, library or interface, use the following order: Type declarations, State variables, Events, Modifiers, Functions

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L614 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/DBR.sol#L381 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L146 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Fed.sol#L140

Use of tx.origin

tx.origin has been known to be vulnerable to phishing attacks, unsure how to report the use of this so highlited in my QA report but it would be better to employ a standard if(msg.sender == owner) or create access control around borrower such that if(msg.sender == Borrower) return true; than to risk using tx.origin to check if the user is allwed to borrow or not. tx.origin is known to have its own vulnerabilites.

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/BorrowController.sol#L47

#0 - c4-judge
2022-11-07T21:40:22Z

0xean marked the issue as grade-b

Inverse Finance contest - pedr02b2's results

Rethink the way you borrow.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-28] QA Report - $36.73

Findings Information

Awards

Labels

External Links

Open TODO's/Comments

Fix Typos

Declare public function external

Use openzeppelins ECDSA as appose too ecrecover

Lack of address(0) on setter functions

Lack of emit/events on setter functions

Lack of access control check on functions

Use 10**4 instead of 10000

Split && statement for readability

Solidity layout practices

Use of tx.origin

#0 - c4-judge2022-11-07T21:40:22Z

#0 - c4-judge
2022-11-07T21:40:22Z