Back to scaraven's contests

FEI and TRIBE Redemption contest - scaraven's results

A new DeFi primitive that allows any token to become productive and provide FEI liquidity at no cost to the markets that need it most.

General Information

Platform: Code4rena

Start Date: 09/09/2022

Pot Size: $42,000 USDC

Total HM: 2

Participants: 101

Period: 3 days

Judge: hickuphh3

Total Solo HM: 2

Id: 161

League: ETH

Tribe

Findings Distribution

Researcher Performance

Rank: 100/101

Findings: 1

Award: $33.58

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTribe

Findings Information

🌟 Selected for report: GalloDaSballo

Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas

Awards

33.5762 USDC - $33.58

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Issue 1: Use of Magic Values

In order to increase readability, it is recommended to replace magic values with constants. e.g.

Change

        require(_cTokens.length == 27, "Must provide exactly 27 merkle roots");

to

uint256 public constant CTOKENS_LENGTH = 27;
        require(_cTokens.length == CTOKENS_LENGTH, "Must provide exactly 27 merkle roots");

Occurrences: https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L138 https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L125 https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L130

Issue 2: Dev comment about decimals

In previewRedeem from TribeRedeemer it is commented that:

       // @dev, this assumes all of `tokensReceived` and `redeemedToken`
       // have the same number of decimals

This is not true because amountIn and base have the same number of decimals, so they cancel out and the resulting redeemedAmount has the same number of decimals as the ERC20 token.

Issue 3: Update contract versions

Not all contracts are up-to-date, consider updating the solidity versions to 0.8.17

Issue 4: No address verification when claiming cToken

In RariMerkleRedeemer, when a user runs claim() with an arbitrary address, the merkle root defaults to bytes32(0) and incorrectly reports an error that the merkle proof is not valid when in fact the real error is that the cToken address is incorrect

Add a check to make sure that the cToken address is valid e.g.

require(merkleRoots[_cToken] != bytes32(0), "Incorrect cToken address");
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter