Platform: Code4rena
Start Date: 02/06/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 75
Period: 7 days
Judge: Picodes
Total Solo HM: 5
Id: 249
League: ETH
Rank: 37/75
Findings: 2
Award: $50.37
π Selected for report: 0
π Solo Findings: 0
π Selected for report: Madalad
Also found by: Aymen0909, Bauchibred, Breeje, DadeKuma, Hama, LaScaloneta, Madalad, MohammedRizwan, bin2chen, dwward3n, erictee, etherhood, kutugu, peanuts, piyushshukla, rvierdiiev, saneryee, tallo, turvy_fuzz, whimints
31.7954 USDC - $31.80
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L646 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L650
If a negative value is returned (< 0) from chainlink oracle and the value is cast to type uint256, the resulting value will be the unsigned representation of that value which will be an inaccurate price. Also, cases where sdprice can't be less than 0 will revert (i.e division by 0 - https://github.com/code-423n4/2023-06-stader/blob/main/contracts/SDCollateral.sol#L212)
missing check: `(, int256 totalETHBalanceInInt, , , ) = AggregatorV3Interface(staderConfig.getETHBalancePORFeedProxy()) .latestRoundData(); (, int256 totalETHXSupplyInInt, , , ) = AggregatorV3Interface(staderConfig.getETHXSupplyPORFeedProxy()) .latestRoundData(); // @audit // if ( // totalETHBalanceInInt <= 0 || totalETHBalanceInInt <= 0 // ) revert StaderOracle_BadFeed();
return (uint256(totalETHBalanceInInt), uint256(totalETHXSupplyInInt), block.number);`
Always validate price feed answers before using and also it's important to note that casting a negative value of signed integer to an unsigned integer type may result in unexpected behavior, add the missing check above: if ( // totalETHBalanceInInt <= 0 || totalETHBalanceInInt <= 0 // ) revert StaderOracle_BadFeed(); and Always exercise caution when performing such type conversions to ensure that the resulting value is appropriate
Oracle
#0 - c4-judge
2023-06-09T23:25:11Z
Picodes marked the issue as duplicate of #15
#1 - c4-judge
2023-07-02T10:49:17Z
Picodes marked the issue as satisfactory
π Selected for report: RaymondFam
Also found by: 0xWaitress, 0xhacksmithh, ChrisTina, DadeKuma, LaScaloneta, Rolezn, SAAJ, Sathish9098, T1MOH, bin2chen, btk, catellatech, ernestognw, fatherOfBlocks, hals, hunter_w3b, jaraxxus, matrix_0wl, mgf15, naman1778, niser93, solsaver, turvy_fuzz
18.5651 USDC - $18.57
use of wrong operator
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L187
Due to the use of the wrong operator (&& instead of ||), manager can still disable erInspection Mode even when it's Cooldown is not completed. Also when not in cooldown, absolutely anyone can still disable it due to the && operator
use || instead of &&.
Itβs possible that the onlyOwner role mistakenly transfers ownership to a wrong address, resulting in a loss of the onlyOwner role.
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/VaultProxy.sol#L70
Consider implementing an acceptOwnership() function which is called by the pendingOwner to confirm the transfer.
#0 - c4-judge
2023-06-14T06:03:51Z
Picodes marked the issue as grade-b