Back to reassor's contests

Yield Witch v2 contest - reassor's results

Fixed-rate borrowing and lending on Ethereum

General Information

Platform: Code4rena

Start Date: 14/07/2022

Pot Size: $25,000 USDC

Total HM: 2

Participants: 63

Period: 3 days

Judge: PierrickGT

Total Solo HM: 1

Id: 147

League: ETH

Yield

Findings Distribution

Researcher Performance

Rank: 40/63

Findings: 1

Award: $39.13

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryYield

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0x29A, 0x52, 0xNazgul, Chom, Deivitto, ElKu, Funen, IllIllI, Meera, ReyAdmirado, SooYa, TomJ, Trumpero, Waze, __141345__, ak1, asutorufos, c3phas, cRat1st0s, csanuragjain, delfin454000, exd0tpy, fatherOfBlocks, hake, hansfriese, horsefacts, hyh, karanctf, kenzo, kyteg, ladboy233, pashov, peritoflores, rajatbeladiya, rbserver, reassor, rokinot, simon135, wastewa

Awards

39.13 USDC - $39.13

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Low Risk

  1. Missing pause functionality
  2. Missing zero address checks
  3. Critical address change

Non-Critical

  1. Usage of not well-tested solidity version might contain undiscovered vulnerabilities
  2. Missing/incomplete natspec comments

1. Missing pause functionality

Risk

Low

Impact

Contract Witch is missing pause functionality that could be used in case of security incidents and would block executing selected functions while the contract is paused.

Proof of Concept

Witch.sol:

Tools Used

Manual Review / VSCode

It is recommended to add functionality for pausing contract Witch and go through all publicly/externally accessible functions to decide which one should be forbidden from running while the contract is paused.

2. Missing zero address checks

Risk

Low

Impact

Multiple functions of Witch contract do not check for zero addresses which might lead to loss of funds, failed transactions and can break the protocol functionality.

Proof of Concept

Witch.sol:

Tools Used

Manual Review / VSCode

It is recommended to add zero address checks for listed parameters.

3. Critical address change

Risk

Low

Impact

Changing critical addresses such as ownership should be a two-step process where the first transaction (from the old/current address) registers the new address (i.e. grants ownership) and the second transaction (from the new address) replaces the old address with the new one. This gives an opportunity to recover from incorrect addresses mistakenly used in the first step. If not, contract functionality might become inaccessible.

Proof of Concept

Witch.sol:

Tools Used

Manual Review / VSCode

It is recommended to implement two-step process for changing ownership.

4. Usage of not well-tested solidity version might contain undiscovered vulnerabilities

Risk

Non-Critical

Impact

Using the latest versions might make contracts susceptible to undiscovered compiler bugs.

Proof of Concept

Tools Used

Manual Review / VSCode

It is recommended to use more stable and tested solidity version such as 0.8.10.

5. Missing/incomplete natspec comments

Risk

Non-Critical

Impact

Contract Witch is missing natspec comments which makes code more difficult to read and prone to errors.

Proof of Concept

Witch.sol:

Tools Used

Manual Review / VSCode

It is recommended to add missing natspec comments.

#0 - alcueca

2022-07-22T14:17:42Z

Thanks for the suggestion for a pause functionality, and for the natspec check. Nothing else is useful or correct.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter