bunker.finance contest - throttle's results

The easiest way to borrow against your NFTs.

General Information

Platform: Code4rena

Start Date: 03/05/2022

Pot Size: $50,000 USDC

Total HM: 4

Participants: 46

Period: 5 days

Judge: gzeon

Total Solo HM: 2

Id: 117

League: ETH

bunker.finance

Findings Distribution

Researcher Performance

Rank: 10/46

Findings: 3

Award: $439.72

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository bunker.finance

Findings Information

🌟 Selected for report: cccz

Also found by: 0x1f8b, 0xNazgul, GimelSec, IllIllI, Ruhum, hake, kebabsec, oyc_109, sorrynotsorry, throttle, tintin

Labels

bug

duplicate

2 (Med Risk)

Awards

298.5767 USDC - $298.58

External Links

Link to GitHub issue

Lines of code

https://github.com/bunkerfinance/bunker-protocol/blob/main/contracts/PriceOracleImplementation.sol#L29

Vulnerability details

Impact

Deprecated Chainlink oracle API. API might stop working. Prices could be outdated. Protocol might need to be redeployed or false prices might lead to users losing funds.

Proof of Concept

https://github.com/bunkerfinance/bunker-protocol/blob/main/contracts/PriceOracleImplementation.sol#L29

The contracts use Chainlink’s deprecated API latestAnswer(). Such functions might suddenly stop working if Chainlink stopped supporting deprecated APIs.

Additionally, one cannot check if the returned price is fresh. The price might by stale (old historical price).

Tools Used

Manual review

Recommended Mitigation Steps

Use the latestRoundData() function to get the price instead. Add checks on the return data with proper revert messages if the price is stale or the round is uncomplete, for example:

(uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = oracle.latestRoundData();
require(answeredInRound >= roundID, "...");
require(timeStamp != 0, "...");

#0 - bunkerfinance-dev
2022-05-09T18:19:43Z

Duplicate of #1

Findings Information

🌟 Selected for report: BowTiedWardens

Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, David_, Funen, GimelSec, IllIllI, Picodes, TerrierLover, WatchPug, bobi, cryptphi, csanuragjain, delfin454000, dirk_y, ellahi, fatherOfBlocks, hyh, ilan, jayjonah8, kebabsec, leastwood, oyc_109, robee, samruna, simon135, sorrynotsorry, throttle

Awards

93.5794 USDC - $93.58

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

[L-01] No event emission for new nft price oracle

Description

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol#L764

Recommended Mitigation Steps

Consider emitting an event

-----------------------------------------------------------------

[L-02] Missing 0 address check

Description

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol#L731

New admin is not checked against 0 value.

Recommended Mitigation Steps

Consider checking if new admin address is not 0

-----------------------------------------------------------------

Findings Information

🌟 Selected for report: BowTiedWardens

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xkatana, Cityscape, Fitraldys, Funen, GimelSec, IllIllI, MaratCerby, Picodes, TerrierLover, Tomio, delfin454000, ellahi, fatherOfBlocks, hansfriese, ilan, joestakey, oyc_109, rfa, robee, samruna, simon135, slywaters, throttle

Awards

47.5594 USDC - $47.56

Labels

bug

G (Gas Optimization)

External Links

Link to GitHub issue

[G-01] Function `redeemAllowed()` could be simplified.

Description

Function redeemAllowed() could be simplified.

function redeemAllowed(address cAsset, address redeemer, uint redeemTokens) external returns (uint) {
    uint allowed = redeemAllowedInternal(cAsset, redeemer, redeemTokens);
    if (allowed != uint(Error.NO_ERROR)) {
        return allowed;
    }

    // Keep the flywheel moving
    // updateCompSupplyIndex(cAsset);
    // distributeSupplierComp(cAsset, redeemer);

    return uint(Error.NO_ERROR);
}

could be rewritten to

function redeemAllowed(address cAsset, address redeemer, uint redeemTokens) external returns (uint) {
    return redeemAllowedInternal(cAsset, redeemer, redeemTokens);
}

Recommended Mitigation Steps

Consider rewriting

-----------------------------------------------------------------

[G-02] Cheaper for loop

Description

This:

for (uint256 i = 0; i < len; i++) {
    ...
}

can be optimized to

for (uint256 i; i < len;) {
    ...
    unchecked { ++i };
}

Recommended Mitigation Steps

Consider rewriting

bunker.finance contest - throttle's results

The easiest way to borrow against your NFTs.

General Information

Findings Distribution

Researcher Performance

External Links

[M-02] Deprecated Chainlink oracle API - $298.58

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - bunkerfinance-dev2022-05-09T18:19:43Z

[Q-30] QA Report - $93.58

Findings Information

Awards

Labels

External Links

[L-01] No event emission for new nft price oracle

Description

Recommended Mitigation Steps

-----------------------------------------------------------------

[L-02] Missing 0 address check

Description

Recommended Mitigation Steps

-----------------------------------------------------------------

[G-29] Gas Report - $47.56

Findings Information

Awards

Labels

External Links

[G-01] Function redeemAllowed() could be simplified.

Description

Recommended Mitigation Steps

-----------------------------------------------------------------

[G-02] Cheaper for loop

Description

Recommended Mitigation Steps

-----------------------------------------------------------------

#0 - bunkerfinance-dev
2022-05-09T18:19:43Z

[G-01] Function `redeemAllowed()` could be simplified.