Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 12/147
Findings: 4
Award: $2,107.81
π Selected for report: 2
π Solo Findings: 1
π Selected for report: rvierdiiev
1905.4132 DAI - $1,905.41
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Operator.sol#L548 https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Operator.sol#L711 https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/RANGE.sol#L133 https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/RANGE.sol#L145 https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/RANGE.sol#L185 https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Operator.sol#L780
Operator::setReserveFactor sets new reserveFactor value. This parameter is used in fullCapacity function to calculate how much capacity is available by high/low side. Then calculated capacity is used by Range module inside regenerate function to set the threshold of capacity for both sides of market. Then in Range::updateCapacity function this threshold is checked to understand if the wall should be down and the bond market should be closed.
Changing this value means that the capacity of sides has changed and the sides should be regenarated to include this changes.
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Operator.sol#L548 https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Operator.sol#L711 https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/RANGE.sol#L133 https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/RANGE.sol#L145 https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/RANGE.sol#L185 https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Operator.sol#L780
Call this after the param updating.
_regenerate(true); _regenerate(false;
#0 - Oighty
2022-09-08T18:04:14Z
Forcing a regeneration when the reserveFactor is updated could cause unintended regeneration if a wall is currently down. A better approach may be to conditionally regenerate each side if they are active.
#1 - Oighty
2022-09-12T18:23:57Z
After discussing with the team more, we are going to leave this as-is. It is more flexible to not regenerate the side in this function. With the current implementation, the guardian can determine if the change should go into effect on the next regen, or if it should happen immediately. To enable immediately, they can manually call regenerate.
π Selected for report: rvierdiiev
Also found by: Jeiwan, Lambda, Trust, datapunk, devtooligan, itsmeSTYJ, zzzitron
113.9192 DAI - $113.92
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Heart.sol#L92 https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Heart.sol#L103
beat() function is allowed to be called by anyone once in frequency() period. The purpose of it is to update the prices and do another operations related to bond market. User who ran it are rewarded. There is no need to run this function more then 1 time in frequency() period.
However if beat() was last time called more then frequency() time ago then user can execute beat() function (block.timestamp - lastBeat)/frequency() times in a row in same block and get rewards.
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Heart.sol#L92 https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Heart.sol#L103
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Heart.sol#L103
Change this line to lastBeat = block.timestamp - (block.timestamp - lastBeat) % frequency();
So no matter how much time the beat() was no called, it is possible to call it only once per frequency().
#0 - Oighty
2022-09-07T21:06:18Z
See comment on #405. This approach actually solves both of our issues though.
#1 - 0xean
2022-09-19T13:25:29Z
going to use this issue as the primary since the solution is elegant and solves the problem.
π Selected for report: zzzitron
Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas
55.9036 DAI - $55.90
instructionsId_ exists. Better revert with message then return zeroes.
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/INSTR.sol#L38proposalId_ exists. Better revert with message then return zeroes.
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Governance.sol#L146instructions_ is empty on top of the function. Save userβs gas.
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Governance.sol#L160 yesVotesForProposal[activeProposal.proposalId] is bigger then noVotesForProposal[activeProposal.proposalId] and revert special error, than do underflow error.
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Governance.sol#L266KERNEL::configureDependencies function use modifier onlyKernel as this should be called by kernel.
https://github.com/code-423n4/2022-08-olympus/blob/main/src/Kernel.sol#L139π Selected for report: pfapostol
Also found by: 0x040, 0x1f8b, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSmartContract, 0xkatana, Amithuddar, Aymen0909, Bnke0x0, CertoraInc, Chandr, CodingNameKiki, Deivitto, Dionysus, Diraco, ElKu, Fitraldys, Funen, GalloDaSballo, Guardian, IllIllI, JC, JansenC, Jeiwan, LeoS, Metatron, Noah3o6, RaymondFam, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, Ruhum, Saintcode_, Shishigami, Sm4rty, SooYa, StevenL, Tagir2003, The_GUILD, TomJ, Tomo, Waze, __141345__, ajtra, apostle0x01, aviggiano, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch0bu, chrisdior4, d3e4, delfin454000, djxploit, durianSausage, erictee, exolorkistis, fatherOfBlocks, gogo, grGred, hyh, ignacio, jag, karanctf, kris, ladboy233, lukris02, m_Rassska, martin, medikko, natzuu, ne0n, newfork01, oyc_109, peiw, rbserver, ret2basic, robee, rokinot, rvierdiiev, sikorico, simon135, tnevler, zishansami
32.5835 DAI - $32.58
external modifier instead of public to save deployment gas.
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/INSTR.sol#L37
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/MINTR.sol#L33
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/MINTR.sol#L37
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/TRSRY.sol#L75
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Governance.sol#L145
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Governance.sol#L151