Platform: Code4rena
Start Date: 26/09/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 113
Period: 5 days
Judge: 0xean
Total Solo HM: 6
Id: 166
League: ETH
Rank: 66/113
Findings: 1
Award: $52.04
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xNazgul
Also found by: 0x1f8b, 0x52, 0xDecorativePineapple, 0xSmartContract, 0xmatt, Aeros, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, DimitarDimitrov, IllIllI, JC, Jeiwan, Lambda, Matin, Migue, Mukund, Ocean_Sky, Olivierdem, RaymondFam, RockingMiles, Rolezn, Ruhum, Satyam_Sharma, Shinchan, Tomo, Trabajo_de_mates, V_B, Waze, __141345__, a12jmx, ajtra, asutorufos, aysha, brgltd, bulej93, carrotsmuggler, catchup, cccz, chrisdior4, cryptonue, cryptphi, d3e4, defsec, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, kaden, karanctf, ladboy233, lukris02, mahdikarimi, martin, mics, natzuu, oyc_109, p_crypt0, pedr02b2, rbserver, reassor, rotcivegaf, rvierdiiev, sikorico, slowmoses, sorrynotsorry, tnevler, trustindistrust
52.0441 USDC - $52.04
AlgebraPool.sol's initialize() function is implemented to set a fresh pair's initial price and ticks.
It checks the globalState.price == 0 to set the values. However, if somehow, the globalState.price drops to zero after the swap function, an orchestrated actor can re-initialize the pool with a higher price to inflate the underlying token price.
DataStorage.sol's write() function checks the timestamp as if (_last.blockTimestamp == blockTimestamp) and returns with index
However, if the chain is forked and there are reorgs, this check can result in wrong indexing. There might a manual implementation of setting indexes in this rare case and it would be best if the contract would have the features of pausable.sol to save the day.
The owner address is having too much authority to set many things at the codebase. A divided role model assignment would serve better for the codebase in terms of risk management. E.g. ;
The owner calls setVaultAddress of his EOA and receives the assets.
The owner calls setFactory in AlgebraPoolDeployer and set the new factory address as his contract address and diverts the user assets into his own managed pools.
Critical address / value changes are not done in two steps for the following methods:
AlgebraFactory.sol's setOwner() function.
The scoped contracts are missing proper NatSpec comments such as @notice @dev @param on many places.It is recommended that Solidity contracts are fully annotated using NatSpec for all public interfaces (everything in the ABI) Reference
The scoped contracts have different solidity compiler ranges referenced. This leads to potential security flaws between deployed contracts depending on the compiler version chosen for any particular file. It also greatly increases the cost of maintenance as different compiler versions have different semantics and behavior. Current Solidity version available is 0.8.17
AlgebraPool.sol's _writeTimepoint() function's liquidity, volumePerLiquidityInBlock variables are shadowed with the global ones.