Back to wonjun's contests

Venus Protocol Isolated Pools - wonjun's results

Earn, Borrow & Lend on the #1 Decentralized Money Market on the BNB Chain

General Information

Platform: Code4rena

Start Date: 08/05/2023

Pot Size: $90,500 USDC

Total HM: 17

Participants: 102

Period: 7 days

Judge: 0xean

Total Solo HM: 4

Id: 236

League: ETH

Venus Protocol

Findings Distribution

Researcher Performance

Rank: 77/102

Findings: 1

Award: $56.63

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryVenus Protocol

Findings Information

🌟 Selected for report: brgltd

Also found by: 0x73696d616f, 0xAce, 0xSmartContract, 0xWaitress, 0xkazim, 0xnev, Aymen0909, BGSecurity, Bauchibred, Cayo, ChrisTina, Franfran, IceBear, Infect3d, Kose, Lilyjjo, PNS, RaymondFam, Sathish9098, Team_Rocket, Udsen, YakuzaKiawe, YoungWolves, berlin-101, bin2chen, btk, codeslide, fatherOfBlocks, frazerch, kodyvim, koxuan, lfzkoala, lukris02, matrix_0wl, nadin, naman1778, sashik_eth, tnevler, volodya, wonjun, yjrwkk

Awards

56.6347 USDC - $56.63

Labels

bug
grade-b
QA (Quality Assurance)
Q-39

External Links

Link to GitHub issue

[L-1] Incorrect error message

Instances(1):

    require(
        (auction.auctionType == AuctionType.LARGE_POOL_DEBT &&
            ((auction.highestBidder != address(0) && bidBps > auction.highestBidBps) ||
                (auction.highestBidder == address(0) && bidBps >= auction.startBidBps))) ||
            (auction.auctionType == AuctionType.LARGE_RISK_FUND &&
                ((auction.highestBidder != address(0) && bidBps < auction.highestBidBps) ||
                    (auction.highestBidder == address(0) && bidBps <= auction.startBidBps))),
        "your bid is not the highest"
    );

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L171

Mitigation:

    auction.auctionType == AuctionType.LARGE_POOL_DEBT ? "your bid is not the highest" : "your bid is not the lowest"

[N-1] Spellcheck

Instances (5):

market's -> market

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Rewards/RewardsDistributor.sol#L300

a -> an

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L88 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L356 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#LL99

used -> used to

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L288

[G-1] Unnecessary transfer

Unnecessary transfer if msg.sender is same as the highest bidder

    if (auction.highestBidder != address(0)) {
        erc20.safeTransfer(auction.highestBidder, auction.marketDebt[auction.markets[i]]);
    }

    erc20.safeTransferFrom(msg.sender, address(this), auction.marketDebt[auction.markets[i]]);

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L189-L193

Check if the current highest bidder is placing a new bid, and skip performing the unnecessary transfers.

#0 - c4-judge

2023-05-18T19:37:08Z

0xean marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter