Platform: Code4rena
Start Date: 24/07/2023
Pot Size: $100,000 USDC
Total HM: 18
Participants: 73
Period: 7 days
Judge: alcueca
Total Solo HM: 8
Id: 267
League: ETH
Rank: 63/73
Findings: 1
Award: $15.29
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: immeas
Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77
15.2931 USDC - $15.29
| no | Issue | Instance |
|---|---|---|
| [L-01] | Missing Event for initialize | 3 |
| [L-02] | Gas griefing/theft is possible on unsafe external call | 1 |
| [L-03] | Use of abi.encodePacked with dynamic types inside keccak256 | 3 |
| [L-04] | Consider using OpenZeppelin's SafeCast library to prevent unexpected overflows when casting from various type int/uint values | 2 |
| [L-05] | Missing checks for address(0x0) when assigning values to address state variables | 1 |
| [L-06] | Missing checks for approve()’s return status | 1 |
| [L-07] | Signature use at deadlines should be allowed | 1 |
88 function initialize(
23 function initialize(address underlying_,
26 function initialize(ComptrollerInterface comptroller_,
return data (bool success,) has to be stored due to EVM architecture, if in a usage like below, 'out' and 'outsize' values are given (0,0) . Thus, this storage disappears and may come from external contracts a possible Gas griefing/theft problem is avoided
59 (bool success, ) = payable(recipient).call{
abi.encodePacked should not be used with dynamic types when passing the result to a hash function such as keccak256. Use abi.encode instead, which will pad items to 32 bytes, to prevent any hash collisions
46 nativeToken = keccak256(abi.encodePacked(_nativeToken)); 150 feeds[keccak256(abi.encodePacked(symbol))] = AggregatorV3Interface( 161 return feeds[keccak256(abi.encodePacked(symbol))];
113 int256 scalingFactor = int256(10 ** uint256(expectedDecimals)); /// calculate expected decimals for end quote 145 int256 scalingFactor = int256(10 ** uint256(expectedDecimals * 2)); /// calculate expected decimals for end quote
52 admin = admin_;
Some tokens, such as Tether (USDT) return false rather than reverting if the approval fails. Use OpenZeppelin’s safeApprove(), which reverts if there’s a failure, instead
26 _weth.approve(address(_mToken), type(uint256).max);
According to EIP-2612, signatures used on exactly the deadline timestamp are supposed to be allowed. While the signature may or may not be used for the exact EIP-2612 use case (transfer approvals), for consistency's sake, all deadlines should follow this semantic. If the timestamp is an expiration rather than a deadline, consider whether it makes more sense to include the expiration timestamp as a valid timestamp, as is done for deadlines.
409 require( _endTime > block.timestamp + 1, "The _endTime parameter must be in the future!" );
#0 - c4-judge
2023-08-11T22:02:48Z
alcueca marked the issue as grade-b
#1 - alcueca
2023-08-11T22:03:24Z
Some useful advice, but not all advice was checked against the code.