Platform: Code4rena
Start Date: 24/03/2022
Pot Size: $75,000 USDC
Total HM: 15
Participants: 59
Period: 7 days
Judge: gzeon
Id: 103
League: ETH
Rank: 28/59
Findings: 3
Award: $480.20
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/DexManagerFacet.sol#L73
DexManagerFacet.batchRemoveDex is used to remove many DEXs in the same transaction. However, the return in L73, will push the function to return directly after removing the first DEX in the _dexs list. So the actual implementation will just remove the first element in the list, which could be a serious problem as the contract owner could think that he removes an access to a DEXs while he doesn't.
I put this as high because this affects the ACCESS CONTROL.
Recommendation: remove the return (as simple as that).
#0 - H3xept
2022-04-11T10:41:22Z
Duplicate of #34
#1 - gzeoneth
2022-04-16T16:34:19Z
Changing to Med Risk to align with #34
🌟 Selected for report: hake
Also found by: 0v3rf10w, 0xDjango, 0xkatana, BouSalman, CertoraInc, Dravee, Hawkeye, IllIllI, JMukesh, Jujic, Kenshin, PPrieditis, Picodes, PranavG, Ruhum, SolidityScan, VAD37, WatchPug, aga7hokakological, catchup, csanuragjain, cthulhu_cult, defsec, dimitri, hickuphh3, hubble, hyh, kenta, kirk-baird, obront, peritoflores, rayn, robee, saian, samruna, shenwilly, shw, sorrynotsorry, tchkvsky, teryanarmen, ych18
114.8562 USDC - $114.86
Incorrect revert msg in NXTPFacet.completeBridgeTokensViaNXTP. In fact, the native token could be in different blockchain (e.g Polygone and the native token is MATIC)
The transfer ownership system ( OwnershipFacet )does not follow for transfer-accept patterns. Which may lead to contract ownership accidentally being mismanaged.
Recommendation: Implementing a transfer-accept pattern, or renouncing ownership of the contract may be preferred to countermeasure against mistaken ownership transfers.
it's better to replace the NATIVE_ASSET to another address rather than the address(0) to avoid any confusion that could happen (e.g WithdrawFacet.withdraw)
All contracts use an unlocked pragma ^0.8.7.
#0 - H3xept
2022-04-11T12:22:48Z
Duplicate of #143
🌟 Selected for report: Dravee
Also found by: 0v3rf10w, 0xDjango, 0xNazgul, 0xkatana, ACai, CertoraInc, FSchmoede, Funen, Hawkeye, IllIllI, Jujic, Kenshin, PPrieditis, Picodes, SolidityScan, TerrierLover, Tomio, WatchPug, catchup, csanuragjain, defsec, dimitri, hake, hickuphh3, kenta, minhquanym, obront, peritoflores, rayn, rfa, robee, saian, samruna, tchkvsky, teryanarmen, ych18
61.9811 USDC - $61.98
NXTPFacet: startBridgeTokensViaNXTP, swapAndStartBridgeTokensViaNXTP, completeBridgeTokensViaNXTP and swapAndCompleteBridgeTokensViaNXTPWithdrawFacet: withdrawGenericSwapFacet: swapTokensGenericAnyswapFacet: swapAndStartBridgeTokensViaAnyswap, swapAndStartBridgeTokensViaAnyswapThe unchecked block can be used for all the for loops. Consider adding an internal function _increment with an unchecked block and use it to increment the counter inside the for loop.
LibAsset.decreaseERC20Allowance and LibAsset.increaseERC20Allowance are declared but never used
#0 - H3xept
2022-04-04T08:55:05Z
Fixed in lifinance/lifi-contracts@26443af0142afdb131b6b3ab278fac29670b7b0e Duplicate of #197
#1 - H3xept
2022-04-04T08:55:21Z
We internally decided to avoid unchecked statements for now.
#2 - H3xept
2022-04-04T08:56:35Z
Used in FulfillInterpreter.sol