Platform: Code4rena
Start Date: 28/11/2022
Pot Size: $192,500 USDC
Total HM: 33
Participants: 106
Period: 11 days
Judge: LSDan
Total Solo HM: 15
Id: 186
League: ETH
Rank: 61/106
Findings: 2
Award: $115.15
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0xNazgul, Atarpara, Awesome, Aymen0909, BClabs, Kong, ali_shehab, bullseye, chaduke, csanuragjain, datapunk, fatherOfBlocks, hansfriese, kaliberpoziomka8552, nicobevi, pashov, pzeus, shark, unforgiven, web3er, xiaoming90
11.2335 USDC - $11.23
There is no modifier to check if the msg.caller has the required role in order to execute the function. Therefore, removeFeeder() could be called by everyone and setting a feeder of their liking and potentially to compromise critically the whole protocol
Manual review
Add onlyRole(DEFAULT_ADMIN_ROLE) modifer to the removeFeeder() method
#0 - c4-sponsor
2022-12-06T01:39:07Z
yubo-ruan marked the issue as sponsor confirmed
#1 - c4-judge
2022-12-20T16:58:13Z
dmvt marked the issue as duplicate of #31
#2 - c4-judge
2023-01-23T16:09:41Z
dmvt marked the issue as partial-25
🌟 Selected for report: IllIllI
Also found by: 0x4non, 0x52, 0xAgro, 0xNazgul, 0xSmartContract, 0xackermann, 9svR6w, Awesome, Aymen0909, B2, BRONZEDISC, Bnke0x0, Deekshith99, Deivitto, Diana, Dravee, HE1M, Jeiwan, Kaiziron, KingNFT, Lambda, Mukund, PaludoX0, RaymondFam, Rolezn, Sathish9098, Secureverse, SmartSek, __141345__, ahmedov, ayeslick, brgltd, cccz, ch0bu, chrisdior4, cryptonue, cryptostellar5, csanuragjain, datapunk, delfin454000, erictee, gz627, gzeon, helios, i_got_hacked, ignacio, imare, jadezti, jayphbee, joestakey, kankodu, ksk2345, ladboy233, martin, nadin, nicobevi, oyc_109, pashov, pavankv, pedr02b2, pzeus, rbserver, ronnyx2017, rvierdiiev, shark, unforgiven, xiaoming90, yjrwkk
103.9175 USDC - $103.92
In general, missing a lot of dev and not only comments that will suit greatly to all auditors, future audits or even new developers that will be potentially onboarded Although, this does not have any impact on the protocol itself, I think this will smoothen up a lot of things in the furure
Some examples are SeaportAdapter.sol and X2Y2Adapter.sol
Also, in a lot of cases, the function behaviour and params explanation are placed inside the interface contracts of the contracts that are implementing those functionalities. This makes the whole process uncomfortable and annoying
There are also examples of no comments on complex math calculations DefaultReserveAuctionStrategy.sol
Add missing useful comments where needed
Unnecessary onlyWhenFeederExisted(_feeder) modifier used in the internal _removeFeeder() function. The same modifier is used inside the external removeFeeder() which calls the internal _removeFeeder() function
Remove onlyWhenFeederExisted(_feeder) modifier from the internal _removeFeeder() function since it is only called by the external removeFeeder()
Unnecessary onlyWhenAssetExisted(_asset) modifier used in the internal _removeAsset() function. The same modifier is used inside the external _removeAsset() which calls the internal _removeAsset() function
Remove onlyWhenAssetExisted(_asset) modifier from the internal _removeAsset() function since it is only called by the external removeAsset()
There are getters which can be reused inside a contract
Use getSourceOfAsset() on every assetsSources[asset] occurence inside ParaSpaceOracle.sol contract and getFallbackOracle() on every address(_fallbackOracle) occurrence
There are a lot of places where an event should be emitted in order to point that some action was executed. Since using the events we can consider whether or not something should happen on the front-end or search for an information by event indexed values, there should be emitted events on important protocol actions
PoolParameters.sol 1, 2, 3, 4, 5 & 6
Declare events and use them at the proper places
There are missing access modifiers on public/exernal methods. In these cases, it can result in exposing customers data or some important protocol variables
PoolParameters.sol 1 & 2
PoolLogic.sol - 1
Use access modifiers in order to restrict who can call the functions
#0 - c4-judge
2023-01-25T11:36:55Z
dmvt marked the issue as grade-b