Platform: Code4rena
Start Date: 10/03/2022
Pot Size: $75,000 USDT
Total HM: 25
Participants: 54
Period: 7 days
Judge: pauliax
Total Solo HM: 10
Id: 97
League: ETH
Rank: 12/54
Findings: 5
Award: $1,299.02
🌟 Selected for report: 1
🚀 Solo Findings: 0
99.257 USDT - $99.26
Owners have full control over the protocol
Owners have full control over:
Manual review
Make executors decentralized. Add TimeLock for parameter changes.
#0 - ankurdubey521
2022-03-30T11:30:07Z
I agree this is an issue, but in the current iteration of Hyphen it is still a centralized system, therefore there is an implicit trust in the contract owners and executors. A decentralized version of the Hyphen bridge is in the works and will fix these issues.
#1 - pauliax
2022-04-26T11:08:30Z
I am grouping all the issues related to centralization and owner privilege risks together and making this a primary issue because it is the most generic.
🌟 Selected for report: hickuphh3
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, Dravee, IllIllI, PPrieditis, Ruhum, TerrierLover, WatchPug, XDms, benk10, berndartmueller, bitbopper, catchup, cmichel, cryptphi, csanuragjain, danb, defsec, gzeon, hagrid, hubble, jayjonah8, kenta, kyliek, minhquanym, rfa, robee, saian, samruna, throttle, ye0lde, z3s
119.1184 USDT - $119.12
eExecutors can contain invalid data. Executor is never removed from array
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/ExecutorManager.sol#L25 https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/ExecutorManager.sol#L46
Manual review
Not sure what the intent is. Executor array si never used within smart contracts. If it's not needed than delte it and save gas and readability. If it is needed then fix it.
Excluded user who added liquidity didn't account for totalLiquidty increase. Later, if he is removed from excluded list and tries to remove liqudity, totalLiquidty will be subtracted which can lead to DoS for other user who want to remove liquidity
Not sure if this is Medium or Low because excluding is in full custody of admins and the intention for that mechanism is not clear.
Manual review
Not sure, depends on intent
fee variables bounds are not checked. this can lead to expensive mistake
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/token/TokenManager.sol#L44 https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/token/TokenManager.sol#L84
Manual review
Validate bounds
#0 - pauliax
2022-05-17T15:25:47Z
"3 - Validate input variables bounds" could be Medium: https://github.com/code-423n4/2022-03-biconomy-findings/issues/8#issuecomment-1114023886
#1 - pauliax
2022-05-17T15:28:56Z
"2 - Excluded user who added liquidity and then was unexcluded can block the withdrawals" should be Medium: #72
🌟 Selected for report: Dravee
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, IllIllI, Jujic, Kenshin, Kiep, PPrieditis, TerrierLover, Tomio, WatchPug, antonttc, benk10, berndartmueller, bitbopper, csanuragjain, defsec, gzeon, hagrid, hickuphh3, kenta, minhquanym, oyc_109, pedroais, peritoflores, rfa, robee, saian, samruna, sirhashalot, throttle, wuwe1, z3s
66.3949 USDT - $66.39
Calling contract in order to get constant value is unnecessarily expensive.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L127
Manual review
Import this constant or instantiate it.
Cache rewardRateLog[_baseToken][i] to save 1 SLOAD.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L276
Manual review
Consider state variable
Decrement can be unchecked because i is always > 0 when decrement happens.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L283
Manual review
Add unchecked { --i };
Call to token metadata yields return variables which are not used later.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityProviders.sol#L54
Manual review
Remove external call to token metadata
getTokenPriceInLPShares() is called twice and yields the same result. Reuse the result to save gas
Manual review
Reuse the result form previous call to save gas
ifEnabled() can be rewrittenUnnecessary SLOAD in logical expression. Also makes code less readable.
Manual review
Refactor to:
function ifEnabled(bool _cond) private view returns (bool) { // return !areWhiteListRestrictionsEnabled || (areWhiteListRestrictionsEnabled && _cond); return !areWhiteListRestrictionsEnabled || _cond; }
tokenChecks is not necessary because function is disabling support so it doesn't matter what address token it is
Manual review
Remove tokenChecks