Platform: Code4rena
Start Date: 24/10/2023
Pot Size: $36,500 USDC
Total HM: 4
Participants: 147
Period: 6 days
Judge: 0xDjango
Id: 299
League: ETH
Rank: 105/147
Findings: 1
Award: $4.52
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xmystery
Also found by: 0x11singh99, 0xAadi, 0xAlix2, 0xG0P1, 0xStalin, 0xWaitress, 0x_Scar, 0xhacksmithh, 0xhunter, 0xpiken, Al-Qa-qa, Arz, Avci, Bauchibred, BeliSesir, Breeje, Bughunter101, DarkTower, Eeyore, Fitro, HChang26, Imlazy0ne, J4X, JCK, Kaysoft, Kral01, Madalad, Mike_Bello90, Noro, PASCAL, PENGUN, Proxy, Rickard, Shubham, SovaSlava, Strausses, Team_Rocket, ThreeSigma, Topmark, Udsen, Walter, Yanchuan, Zach_166, ZanyBonzy, adam-idarrha, adeolu, almurhasan, arjun16, ast3ros, asui, ayden, btk, cartlex_, castle_chain, cccz, chainsnake, codynhat, critical-or-high, cryptonue, csanuragjain, deepkin, degensec, dirk_y, erebus, foxb868, ge6a, hunter_w3b, jasonxiale, kkkmmmsk, lanrebayode77, lsaudit, marchev, matrix_0wl, max10afternoon, nuthan2x, oakcobalt, oxchsyston, pavankv, peanuts, pep7siup, pipidu83, pontifex, ptsanev, qpzm, radev_sw, rokinot, rotcivegaf, rvierdiiev, sorrynotsorry, squeaky_cactus, supersizer0x, tnquanghuy0512, twcctop, twicek, young, zhaojie, ziyou-
4.5226 USDC - $4.52
verifyNonce first param returns always trueThe boolean value returned by the function verifyNonce is returned by (_deduplicateOrder)[https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/EthenaMinting.sol#L392] function and finally used by mint and redeem functions
The value is always true so the call it's never revert with Duplicate() error
verifyOrder first param returns always trueThe boolean value returned by the function verifyOrder is always true and is not used by the contract, I recommend remove this returned value and returning only taker_order_hash
owner inherit from SingleAdminAccessControlowner param variable is shadowing owner() inherit from SingleAdminAccessControl
Recommendation: use _owner instead of owner to avoid collissions as you do on for example StakedUSDe.sol#L225
error InvalidAffirmedAmount in IEthenaMinting.sol#L47error SlippageExceeded(); on IStakedUSDe.sol#L18Recommendation: remove or use this errors
SafeERC20.sol is imported but not used:
Recommendation: remove unused import
CustodyWalletAdded on IEthenaMintingEvents.sol#L29CustodyWalletRemoved on IEthenaMintingEvents.sol#L29SiloUpdated on IStakedUSDeCooldown.sol#L17Critical functions should emit events
setMaxMintPerBlock on EthenaMinting.sol#L219setMaxRedeemPerBlock on EthenaMinting.sol#L224disableMintRedeem on EthenaMinting.sol#L229Recommendation: emit events on critical functions
As stated in the EIP712 standard - "The array values are encoded as the keccak256 hash of the concatenated encodeData of their contents". This is not correctly followed in EthenaMinting::encodeRoute as it does not do this for the Route struct array fields. While this is usually a more serious problem, the method is not called in the protocol and can just be removed.
Nonce can overflow and even if do a safeCast only con be used 256
#0 - c4-pre-sort
2023-11-02T01:32:12Z
raymondfam marked the issue as sufficient quality report
#1 - c4-judge
2023-11-14T17:10:42Z
fatherGoose1 marked the issue as grade-b