H3xept
commented
2 years ago - Will be tackled after completing the audit analysis.
- Fixed in lifinance/lifi-contracts@274a41b047b3863d9ae232eefea04896dc32d853 (Duplicate of #14)
Open code423n4 opened 2 years ago
H3xept
commented
2 years ago
Vulnerability details
Explicit Compiler Version Not Stated
Impact
Low
Proof of Concept
An outdated version of Solidity containing known vulnerabilities could be used to compile the smart contract:
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/WithdrawFacet.sol#L2
Recommended Mitigation Steps
Remove the caret from the pragma directive.
Vulnerability details
Vulnerable "transfer()" Function in Use
Impact
Low
Proof of Concept
The WithdrawFacet.sol contract is using transfer() which is considered insecure as this function has a fixed gas price.
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/WithdrawFacet.sol#L31
Recommended Mitigation Steps
Use call() alongside ReentrancyGuard rather than the transfer() function.