Astaria contest - sakshamguruji's results

On a mission is to build a highly liquid NFT lending market.

General Information

Platform: Code4rena

Start Date: 05/01/2023

Pot Size: $90,500 USDC

Total HM: 55

Participants: 103

Period: 14 days

Judge: Picodes

Total Solo HM: 18

Id: 202

League: ETH

Astaria

Findings Distribution

Researcher Performance

Rank: 76/103

Findings: 1

Award: $51.32

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Astaria

Findings Information

🌟 Selected for report: ladboy233

Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xbepresent, 0xkato, Aymen0909, CodingNameKiki, Cryptor, Deekshith99, Deivitto, HE1M, IllIllI, Kaysoft, Koolex, PaludoX0, Qeew, RaymondFam, Rolezn, Sathish9098, Tointer, a12jmx, arialblack14, ast3ros, ayeslick, bin2chen, btk, caventa, ch0bu, chaduke, chrisdior4, delfin454000, descharre, evan, fatherOfBlocks, georgits, gz627, jasonxiale, joestakey, kaden, lukris02, nicobevi, nogo, oberon, oyc_109, pfapostol, rbserver, sakshamguruji, seeu, shark, simon135, slvDev, synackrst, tnevler, whilom, zaskoh

Awards

51.3151 USDC - $51.32

Labels

bug

grade-b

QA (Quality Assurance)

Q-15

External Links

Link to GitHub issue

INCONSISTENT COMMENTS WITH THE DOCS

Description:

The docs mention that in the private vault only the owner can deposit . But in the github contest page for the vault description it says "PrivateVault contract, where only permissioned lenders can deposit funds." But now there are no permissioned lenders , just the owner . Before the router was apart of the deposit flow into the private vaults as well as letting the strategists delegate deposit but the team removed both of those. Now only the owner can deposit.

Also if it more than owner could have deposited , then it could have resulted in a rugpull as the owner can withdraw all the funds directly here https://github.com/code-423n4/2023-01-astaria/blob/main/src/Vault.sol#L70

pullToken SHOULD BE MADE INTERNAL

Description:

The pullTokens https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC4626Router.sol#L17
should be an internal function as it is only meant to be called from depositToVault , depositMax , redeemMax. Calling the pullTokens might induce problems if it pulls token from the vault.

ALLOWANCE SHOULD BE SET TO 0 FIRST

Description:

Read here https://docs.google.com/document/d/1YLPtQxZu1UAvO9cZ1O2RPXBbT0mooh4DYKjA_jp-RLM/edit#heading=h.44kttz4zxoa to see why allowance should be set to 0 first as it may lead to use old allowance value instead of new value.

UNNECESSARY CHECK IN LienToken CONTRACT

Description:

In the modifier validatestack we are already performing the bytes(0) check here https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L268 so there's no need for stateHash != bytes32(0) here https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L271

THE VARIABLE currentWithdrawProxy SHOULD BE RENAMED

Description:

The variable here https://github.com/code-423n4/2023-01-astaria/blob/main/src/PublicVault.sol#L366 should be renamed to something else as this variable does not depict the current epoch but one epoch before because it's lagging by over the current.

SAME CHECK DONE TWICE IN A FUNCTION

Description:

In this function https://github.com/code-423n4/2023-01-astaria/blob/main/src/CollateralToken.sol#L331 we have used the modifier onlyOwner(collateralId) and inside the body of the function we have checked if (msg.sender != ownerOf(collateralId)) { revert which does the same check as the modifier. One of these should be removed.

REQUIRE STATEMENT USED IN SPITE OF HAVING A MODIFIER

Description:

The require statement used here https://github.com/code-423n4/2023-01-astaria/blob/main/src/WithdrawProxy.sol#L138 should be dropped and the modifier onlyVault at https://github.com/code-423n4/2023-01-astaria/blob/main/src/WithdrawProxy.sol#L230 should be used instead for better consistency and readability.

AVOID THE USE OF TIME-BASED CHECKS USING block.timestamp

Description:

Values produced by block.timestamp/block.number can be manipulated to some extent therefore services like chainlink or any other decentralised oracle should be used .

For example: https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L247

NAME THE FUNCTION SOMETHING DIFFERENT TO AVOID CONFUSION

Description:

Functions here https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L608 and here https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L596 should not be named same as they might induce confusion , name the other something different. Same with these https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L742 and https://github.com/code-423n4/2023-01-astaria/blob/main/src/LienToken.sol#L747

MISSING DOCSTRINGS

Description:

Many functions in the code base lack documentation. This hinders reviewers’ understanding of the code’s intention, which is fundamental to correctly assess not only security, but also correctness. Additionally, docstrings improve readability and ease maintenance. They should explicitly explain the purpose or intention of the functions, the scenarios under which they can fail, the roles allowed to call them, the values returned and the events emitted.

Consider thoroughly documenting all functions (and their parameters) that are part of the contracts’ public API. Functions implementing sensitive functionality, even if not public, should be clearly documented as well. When writing docstrings, consider following the Ethereum Natural Specification Format (NatSpec).

For example , there is no documentation about the pullTokens function in the CollateralToken contract.

NO ZERO ADDRESS/AMOUNT CHECKS

Description:

No zero address checks in the below mentioned pieces of code. In functions like transfer , mint and deposit if by mistake provided a 0 address , it can lead to permanent loss of funds , also in functions where we set important roles 0-address checks should be implemented.

Affected Instances:

TYPO IN Vault CONTRACT

Description:

There's a typo here https://github.com/code-423n4/2023-01-astaria/blob/main/src/Vault.sol#L90 , change vautls to vaults

#0 - liveactionllama
2023-01-19T19:08:18Z

Note: warden was experiencing technical difficulties prior to contest close and was unable to edit their own submission. As a workaround, they submitted edits via C4 help request approximately 1 hour prior to contest close. Those updates have been made manually by the C4 team on their behalf.

#1 - c4-judge
2023-01-26T14:19:21Z

Picodes marked the issue as grade-b

Astaria contest - sakshamguruji's results

On a mission is to build a highly liquid NFT lending market.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-15] QA Report - $51.32

Findings Information

Awards

Labels

External Links

INCONSISTENT COMMENTS WITH THE DOCS

Description:

pullToken SHOULD BE MADE INTERNAL

Description:

ALLOWANCE SHOULD BE SET TO 0 FIRST

Description:

UNNECESSARY CHECK IN LienToken CONTRACT

Description:

THE VARIABLE currentWithdrawProxy SHOULD BE RENAMED

Description:

SAME CHECK DONE TWICE IN A FUNCTION

Description:

REQUIRE STATEMENT USED IN SPITE OF HAVING A MODIFIER

Description:

AVOID THE USE OF TIME-BASED CHECKS USING block.timestamp

Description:

NAME THE FUNCTION SOMETHING DIFFERENT TO AVOID CONFUSION

Description:

MISSING DOCSTRINGS

Description:

NO ZERO ADDRESS/AMOUNT CHECKS

Description:

TYPO IN Vault CONTRACT

Description:

#0 - liveactionllama2023-01-19T19:08:18Z

#1 - c4-judge2023-01-26T14:19:21Z

#0 - liveactionllama
2023-01-19T19:08:18Z

#1 - c4-judge
2023-01-26T14:19:21Z