Back to xpriment626's contests

Phuture Finance contest - xpriment626's results

Crypto index platform, that simplifies your investments through automated, themed index products.

General Information

Platform: Code4rena

Start Date: 19/04/2022

Pot Size: $30,000 USDC

Total HM: 10

Participants: 43

Period: 3 days

Judges: moose-code, JasoonS

Total Solo HM: 7

Id: 90

League: ETH

Phuture Finance

Findings Distribution

Researcher Performance

Rank: 30/43

Findings: 1

Award: $69.53

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPhuture Finance

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0xDjango, 0xkatana, Dravee, Kenshin, Tadashi, TerrierLover, abhinavmir, defsec, ellahi, fatima_naz, foobar, gzeon, hyh, joestakey, kebabsec, kenta, minhquanym, oyc_109, rayn, robee, sseefried, xpriment626, z3s

Awards

69.53 USDC - $69.53

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Phuture Finance QA Report

Summary

A QA sweep of Phuture's contracts shows that floating pragma statements are present in all of the protocol's contracts. While this issue opens up the possibility for version-specific vulnerabilities, this report marks it as low severity under the assumption that the team will eventually lock the compiler version before mainnet launch.

Another common occurence in Phuture's contracts is the lack of address(0) checks for certain functions which could lead to unintented consequences. For instance, if a new asset is added to the ChainlinkPriceOracle contract and initialised with an aggregator set to address(0), no data will be fetched.

Lastly, this report recommends enforcing restrictions on the vToken transfer functions to ensure that users are not able to make empty transactions. Additionally, a theoratical loss of users' funds could arise from not restricting transfers to address(0).

Findings

L.1 - SWC-103: Floating Pragma [LOW SEVERITY]

Location:

  • BaseIndex: Line 3
  • ChainlinkPriceOracle: Line 3
  • IndexLayout: Line 3
  • IndexLogic: Line 3
  • ManagedIndex: Line 3
  • ManagedIndexReweightingLogic: Line 3
  • PhutureIndex: Line 3
  • PhuturePriceOracle: Line 3
  • TopNMarketCapIndex: Line 3
  • TopNMarketCapReweightingLogic: Line 3
  • TrackedIndex: Line 3
  • TrackedIndexReweightingLogic: Line 3
  • UniswapV2PathPriceOracle: Line 3
  • UniswapV2PriceOracle: Line 3

Description:

It is recommended to lock pragma statement prior to deployment, as deploying with a floating pragma may lead to a wider window for version-specific vulnerabilities in the future.

L.2 - No zero address checks [LOW SEVERITY]

Location:

  • BaseIndex: Line 43

There are no checks in place to prevent minting to the zero address.

  • ChainlinkPriceOracle: Line 60

The addAsset function allows zero address to be passed in as the _assetAggregator address. Although this is a role-restricted function, there is a check in place to ensure _asset is not set to address zero - so it may be sensible to have a similar restriction for the aggregator.

  • IndexLogic: Lines 31

There are no checks in place to prevent minting to the zero address.

L.3 - Unprotected transfers [LOW SEVERITY]

Location:

  • vToken: Lines 70, 76

Both the transfer and transferAsset functions of vToken do not have checks in place to prevent empty transfers and transfers to the zero address.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter