Platform: Code4rena
Start Date: 10/03/2022
Pot Size: $75,000 USDT
Total HM: 25
Participants: 54
Period: 7 days
Judge: pauliax
Total Solo HM: 10
Id: 97
League: ETH
Rank: 24/54
Findings: 3
Award: $518.15
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: WatchPug
Also found by: JMukesh, peritoflores, whilom
If pauser makes an error all the protocol will be unusable
The funtion renouncePauser()#Pausable.sol which affect several contracts is dangerous.
function renouncePauser() external virtual onlyPauser { emit PauserChanged(_pauser, address(0)); _pauser = address(0); }
I believe that your implementation is similar to the deprecated https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v2.3.0/contracts/access/roles/PauserRole.sol
However, in your case pauser can break (accidentally of maliciously) the protocol by calling
and the protocol will be paused forever an not even the admin could unlock it.
Manual code review
Maybe you could make admin able to set a new pauser. The same as OZ does in its new implementation allow the admin to set/ remove that role. I believe that this is the reason why the made that upgrade.
#0 - ankurdubey521
2022-03-30T16:19:30Z
Duplicate of #137
#1 - pauliax
2022-04-11T13:22:03Z
#137
80.3981 USDT - $80.40
https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/LiquidityPool.sol#L119-L121 https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/LiquidityPool.sol#L284
Executors can, unintentionally, send a huge amount of ETH
The function setBaseGas(uint128 gas)#LiquidityPool.sol should have bounds like MAXBASEGAS.
Even worse this function lacks of event emit.
As a result, executors can call sendFundsToUser and send enormous amount of ETH.
Manual code review
Add bound checks and add an event emit
#0 - pauliax
2022-04-30T17:26:06Z
🌟 Selected for report: Dravee
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, IllIllI, Jujic, Kenshin, Kiep, PPrieditis, TerrierLover, Tomio, WatchPug, antonttc, benk10, berndartmueller, bitbopper, csanuragjain, defsec, gzeon, hagrid, hickuphh3, kenta, minhquanym, oyc_109, pedroais, peritoflores, rfa, robee, saian, samruna, sirhashalot, throttle, wuwe1, z3s
59.5356 USDT - $59.54
Some strings do not use custom errors and some of them are longer than 32 bytes Considering shortening them.
https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/security/Pausable.sol#L43 https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/ExecutorManager.sol#L17 https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/LiquidityPool.sol#L77 https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/token/LPToken.sol#L70
There is an unnecesary require at
require(msg.value != 0, "Amount cannot be 0");
This is unnecesary because two lines before you check
require( tokenManager.getDepositConfig(toChainId, NATIVE).min <= msg.value && tokenManager.getDepositConfig(toChainId, NATIVE).max >= msg.value, "Deposit amount not in Cap limit" );
Unless tokenManager.getDepositConfig(toChainId, NATIVE).min==0 and msg.value==0 the above line is a tautology