Platform: Code4rena
Start Date: 05/01/2023
Pot Size: $90,500 USDC
Total HM: 55
Participants: 103
Period: 14 days
Judge: Picodes
Total Solo HM: 18
Id: 202
League: ETH
Rank: 46/103
Findings: 1
Award: $253.34
π Selected for report: 0
π Solo Findings: 0
π Selected for report: ladboy233
Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xbepresent, 0xkato, Aymen0909, CodingNameKiki, Cryptor, Deekshith99, Deivitto, HE1M, IllIllI, Kaysoft, Koolex, PaludoX0, Qeew, RaymondFam, Rolezn, Sathish9098, Tointer, a12jmx, arialblack14, ast3ros, ayeslick, bin2chen, btk, caventa, ch0bu, chaduke, chrisdior4, delfin454000, descharre, evan, fatherOfBlocks, georgits, gz627, jasonxiale, joestakey, kaden, lukris02, nicobevi, nogo, oberon, oyc_109, pfapostol, rbserver, sakshamguruji, seeu, shark, simon135, slvDev, synackrst, tnevler, whilom, zaskoh
253.3371 USDC - $253.34
owner variable.Since PublicVault is derived from VaultImplementation which is derived from AstariaVaultBase
almost all function shadow AstariaVaultBase.owner variable which can lead to unexpected behavior. To avoid this behavior better to use _owner in function params
solc-0.8.17 is not recommended for deployment since it can have unknown bugs.
Better to deploy using solc-0.8.16
Itβs also reduce contract size and saves some deployment gas
file: VaultImplementation.sol function disableAllowList() external virtual function enableAllowList() external virtual After Merging function enableAllowList(bool var) external virtual { ^ true of false ... _loadVISlot().allowListEnabled = var; emit AllowListEnabled(var); }
Since VaultImplementation is an abstract contract and is derived from AstariaVaultBase where name() and symbol() are already declared no need to declare them again.
file: VaultImplementation.sol function name() external view virtual override returns (string memory); function symbol() external view virtual override returns (string memory);
Also it will saves gas on deposit() call.
file: PublicVault.sol function deposit(uint256 amount, address receiver) public override(ERC4626Cloned) whenNotPaused returns (uint256) { VIData storage s = _loadVISlot(); if (s.allowListEnabled) { require(s.allowList[receiver]); } uint256 assets = totalAssets(); // <- Unused local variable return super.deposit(amount, receiver); }
Function disableAllowList() enableAllowList() and modifyAllowList() is not generic and should not be implemented in Vault. This function is only for Public Vault so they should be removed from VaultImplementation since itβs a generic abstract contact for vaults. Declare this function in IPublicVault and implement it only in PublicVault. It also reduces contract size and saves some deployment gas.
file: Vault.sol function disableAllowList() external pure override(VaultImplementation) { function enableAllowList() external pure override(VaultImplementation) { function modifyAllowList(address, bool) external pure override(VaultImplementation) {
params passed to _beforeCommitToLien never used in VaultImplementation or in overridden functions in derived contracts.
file: VaultImplementation.sol function _beforeCommitToLien(IAstariaRouter.Commitment calldata params)
No need to explicitly convert 0 to uint256. This issue is found everywhere in the code
file: PublicVault.sol if (timeToEpochEnd() > 0) { if (timeToEpochEnd() == uint256(0)) { if (s.withdrawReserve > 0) { if (s.withdrawReserve > uint256(0)) {
file: LienToken.sol uint256 i; for (i; i < n; ) {
ClearingHouse should inherit from IRouterBase since it implement ROUTER() and IMPL_TYPE() that declared in IRouterBase
file: ClearingHouse.sol function ROUTER() external view returns (IAstariaRouter); function IMPL_TYPE() external view returns (uint8);
#0 - c4-judge
2023-01-26T14:05:32Z
Picodes marked the issue as grade-a