Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 100/147
Findings: 1
Award: $56.31
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: zzzitron
Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas
56.3094 DAI - $56.31
| Risk Rating | Number of issues |
|---|---|
| Low Risk | 3 |
| Non-Critical | 1 |
revokePolicyApprovals stricterif (Policy(policy_).isActive()) revert PolicyStillActive();
As revokePolicyApprovals can be called by anyone, it is possible to revoke a non-policy contract that was given a treasury approval, if the contract has a public isActive function that returns false value.
Consider making the address validation stricter by also checking whether the address has a public kernel function which returns the same address as TreasuryCustodian's kernel.
KernelAdapter constructorconstructor(Kernel kernel_) { kernel = kernel_; }
A faulty deployment script might deploy a module/policy with zero address which would render the contract useless, incurring a gas cost for contract the re-deployment.
Consider adding a zero address check for kernel.
cushionFactorOperator.sol#L134
In Operator.constructor(), there is no check to make sure that cushionFactor/configParams[0] is within acceptable range (100 to 10000). A faulty deployment script might set a wrong value that could cause irregular behaviour during bond market creations.
Consider adding a check in constructor() to make sure the value is within acceptable range:
if (configParams[0] > 10000 || configParams[0] < 100) revert Operator_InvalidParams();
// Cache numbe of observations to save gas.
should be:
// Cache number of observations to save gas.