Platform: Code4rena
Start Date: 07/04/2022
Pot Size: $100,000 USDC
Total HM: 20
Participants: 62
Period: 7 days
Judge: LSDan
Total Solo HM: 11
Id: 107
League: ETH
Rank: 42/62
Findings: 2
Award: $177.29
๐ Selected for report: 0
๐ Solo Findings: 0
25.7805 USDC - $25.78
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/NFTVault.sol#L459 https://github.com/code-423n4/2022-04-jpegd/blob/59e288c27e1ff1b47505fea2e5434a7577d85576/contracts/vaults/FungibleAssetVaultForDAO.sol#L105
Contracts NFTVault.sol and FungibleAssetVaultForDAO use Chainlink's latestAnswer as an oracle for prices of multiple assets. This function will return the last value, but it is not possible to check if the provided data is fresh. In addition latestAnswer has been marked as deprecated and if at some point Chainlink stops supporting deprecated APIs the protocol will stop working and it will be required to redeploy contracts.
Manual Review / VSCode
Use the latestRoundData function to retrieve prices of the assets. Add checks on the returned data with proper revert messages if the price is stale or the round is uncomplete, for example:
( roundId, rawPrice, , updateTime, answeredInRound ) = AggregatorV3Interface(XXXXX).latestRoundData(); require(rawPrice > 0, "price <= 0"); require(updateTime != 0, "incomplete round"); require(answeredInRound >= roundId, "stale price");
#0 - spaghettieth
2022-04-13T11:39:12Z
Duplicate of #4
๐ Selected for report: Dravee
Also found by: 0x1f8b, 0xDjango, 0xkatana, AuditsAreUS, Cityscape, Foundation, Funen, Hawkeye, IllIllI, JC, JMukesh, Jujic, Kthere, PPrieditis, Picodes, Ruhum, TerrierLover, TrungOre, WatchPug, berndartmueller, catchup, cccz, cmichel, delfin454000, dy, ellahi, hickuphh3, horsefacts, hubble, hyh, ilan, jayjonah8, kebabsec, kenta, minhquanym, pauliax, rayn, reassor, rfa, robee, samruna
151.5077 USDC - $151.51
The Istanbul hardfork increases the gas cost of the SLOAD operation and therefore breaks some existing smart contracts.
Contract FungibleAssetVaultForDAO.sol for withdrawing ETH collateral uses the transfer function, which has a fixed gas stipend and can fail.
The reason behind this is that, after the Istanbul hardfork, any smart contract that uses transfer() or send() is taking a hard dependency on a gas costs by forwarding a fixed amount of gas (2300). This forwards 2300 gas, which may not be enough if the recipient is a contract and the cost of gas changes.
It is recommended to use safe wrapper library, such as the OpenZeppelin Address libraryโs and its sendValue function that forwards sufficient gas for the transfer regardless of the underlying OPCODE gas costs.
#0 - spaghettieth
2022-04-13T11:37:29Z
Duplicate of #39
#1 - dmvt
2022-04-26T14:17:25Z
See comment on #39. This is a QA issue.
#2 - JeeberC4
2022-05-02T19:11:32Z
Generating QA Report as judge downgraded issue. Preserving original title: Usage of legacy ETH transfer function