Platform: Code4rena
Start Date: 03/11/2022
Pot Size: $115,500 USDC
Total HM: 17
Participants: 120
Period: 7 days
Judge: LSDan
Total Solo HM: 1
Id: 174
League: ETH
Rank: 87/120
Findings: 1
Award: $61.35
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0xNazgul, 0xRoxas, 0xSmartContract, Awesome, Aymen0909, B2, BClabs, Bnke0x0, Deekshith99, Deivitto, Diana, Dinesh11G, Funen, HE1M, HardlyCodeMan, Josiah, Nyx, Rahoz, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Saintcode_, TomJ, Trust, __141345__, a12jmx, adriro, ajtra, aphak5010, apostle0x01, brgltd, btk, bulej93, c3phas, carlitox477, catwhiskeys, ch0bu, chaduke, chrisdior4, cryptonue, cryptostellar5, csanuragjain, ctf_sec, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, i_got_hacked, immeas, joestakey, jumpdest7d, lukris02, martin, mcwildy, merlin, minhquanym, oyc_109, pashov, peanuts, pedr02b2, rbserver, rotcivegaf, rvierdiiev, sakman, saneryee, seyni, shark, slowmoses, tnevler, trustindistrust, w0Lfrum, yurahod, zaskoh
61.3462 USDC - $61.35
require check for its success, unlike its counterpartSpigotLib.claimRevenue() encapsulates a transfer function from another library (LineLib.sendOutTokenOrEth) inside a require, as it typically prudent for such effects.
However, SpigotLib.claimEscrow() lacks the same check in a semantically similar action, claiming escrowed tokens. This transfer should also be protected by a require
Add a require check to line 115.
EscrowLib.updateLine() lacks checks to ensure that a 0 address isn't passed as a value, or setting itself (address(this)). This is important because the documentation in the Escrow contract states:
Line has no way to interface with this function so once transfered
lineis set forever
Add checks to ensure that deployment/management mistakes don't cause permanent loss of ownership of the Escrow contract.
The function CreditLib.create() performs a check against a ERC20 token in order to retrieve the number of decimals the token uses.
The check as implemented will return a static value of 18 if the token.call() returns false. While it is deeply unlikely that a token accepted as credit would ever fall into a state where this call would fail, treating it like nothing has occurred seems unsafe. Additionally, if the token didn't use the typical 18 decimals, defaulting to 18 here could have unpredictable results.
Since this function is embedded in a larger atomic transaction, it would be better to revert on false rather than to forge forward and risk unpredictable state. Since the call is likely to never fail, the revert is likely to never fire, causing minimal friction when credit is being adjusted.
type(uint256).maxThe codebase contains instances of 115792089237316195423570985008687907853269984665640564039457584007913129639935, the maximum uint256 value. This can be replaced with a shorthand type(uint256).max, resulting in better code clarity.
#0 - c4-judge
2022-12-06T20:40:29Z
dmvt marked the issue as grade-b