Back to whilom's contests

Astaria contest - whilom's results

On a mission is to build a highly liquid NFT lending market.

General Information

Platform: Code4rena

Start Date: 05/01/2023

Pot Size: $90,500 USDC

Total HM: 55

Participants: 103

Period: 14 days

Judge: Picodes

Total Solo HM: 18

Id: 202

League: ETH

Astaria

Findings Distribution

Researcher Performance

Rank: 90/103

Findings: 1

Award: $51.32

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAstaria

Findings Information

🌟 Selected for report: ladboy233

Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xbepresent, 0xkato, Aymen0909, CodingNameKiki, Cryptor, Deekshith99, Deivitto, HE1M, IllIllI, Kaysoft, Koolex, PaludoX0, Qeew, RaymondFam, Rolezn, Sathish9098, Tointer, a12jmx, arialblack14, ast3ros, ayeslick, bin2chen, btk, caventa, ch0bu, chaduke, chrisdior4, delfin454000, descharre, evan, fatherOfBlocks, georgits, gz627, jasonxiale, joestakey, kaden, lukris02, nicobevi, nogo, oberon, oyc_109, pfapostol, rbserver, sakshamguruji, seeu, shark, simon135, slvDev, synackrst, tnevler, whilom, zaskoh

Awards

51.3151 USDC - $51.32

Labels

bug
grade-b
QA (Quality Assurance)
Q-38

External Links

Link to GitHub issue

Audit Findings

Low Vulerability Findings

[L-01] createLien() in LienToken.sol should have a whenNotPaused modifier

Affected Code: https://github.com/code-423n4/2023-01-astaria/blob/57c2fe33c1d57bc2814bfd23592417fc4d5bf7de/src/LienToken.sol#L389

requestLienPosition() in AstariaRouter.sol is just a wrapper to createLien(). When the contract is paused, a privileged user that passes requiresAuth() can directly call createLien() which is not paused instead of requestLienPosition() to achieve the same effect.

Recommendation: Add a check in createLien() to verify that contract is not paused.

Non-Critical Findings

[N-01] Astaria Router Guardian does not emit when changed

Affected code: https://github.com/code-423n4/2023-01-astaria/blob/57c2fe33c1d57bc2814bfd23592417fc4d5bf7de/src/AstariaRouter.sol#L339

Setting, rencouncing and accepting guardian does not emit events and thus difficult to track.

Recommendation: Emit a ChangedGaurdian() event.

[N-02] Function mint does not use a predeclared modifier

Affected Code: https://github.com/code-423n4/2023-01-astaria/blob/57c2fe33c1d57bc2814bfd23592417fc4d5bf7de/src/WithdrawProxy.sol#L132

Using onlyVault() modifier leads to cleaner code.

Recommendation: Replace require(msg.sender == VAULT(), "only vault can mint"); with onlyVault() modifier.

[N-03] liquidatorNFTClaim() adds an unecessary check of liquidator == 0

Affected code: https://github.com/code-423n4/2023-01-astaria/blob/57c2fe33c1d57bc2814bfd23592417fc4d5bf7de/src/CollateralToken.sol#L118

Code checks whether liquidator == address(0) however address liquidator = s.LIEN_TOKEN.getAuctionLiquidator(collateralId); will throw an revert InvalidState(InvalidStates.COLLATERAL_NOT_LIQUIDATED); if liquidator == 0. Thus, the check is not necessary.

[N-04] Comment in the wrong line

Affected Code: https://github.com/code-423n4/2023-01-astaria/blob/57c2fe33c1d57bc2814bfd23592417fc4d5bf7de/src/PublicVault.sol#L155

Comment // check to ensure that the requested epoch is not in the past is in line 155 but code is in line 167.

Recommendation: Move comment next to actual code.

[N-05] Pause only prevents deposits and new loan positions but does not prevent liquidations or loan payments

There can be case where OpenSea experiences a hack however due to the way the contract is setup, there is no way to pause liquidations.

Since the liquidation engine is described clearly, the users know that this is a risk.

#0 - c4-judge

2023-01-26T14:39:44Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter