Open code423n4 opened 2 years ago
https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/tokens/StableCoin.sol#L32
there was no emit transfer event was used here
transfer
Manual Review
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/7392d8373873bed5da9ac9a97811d709f8c5ffbb/contracts/token/ERC20/ERC20.sol#L248-L266
Remove it or change it
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/tokens/StableCoin.sol#L29 https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/tokens/StableCoin.sol#L36
since account can be changed by to and no require account can't be zero address it can be changed by using must have minter role to mint
account
to
must have minter role to mint
Change it.
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/farming/LPFarming.sol#L85-L91
since is.contract() check ext.sizecode so it can being able to bypass this check it would be better using logical, msg.sender != tx.origins.
is.contract()
msg.sender != tx.origins
https://solidity-by-example.org/hacks/contract-size/ https://ethereum.stackexchange.com/questions/1891/whats-the-difference-between-msg-sender-and-tx-origin
https://github.com/code-423n4/2022-04-jpegd/blob/main/contracts/tokens/StableCoin.sol#L32
there was no emit
transfer
event was used hereTool Used
Manual Review
POC
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/7392d8373873bed5da9ac9a97811d709f8c5ffbb/contracts/token/ERC20/ERC20.sol#L248-L266
Recommended Mitigation
Remove it or change it
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/tokens/StableCoin.sol#L29 https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/tokens/StableCoin.sol#L36
since
account
can be changed byto
and no require account can't be zero address it can be changed by usingmust have minter role to mint
Tool Used
Manual Review
POC
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/7392d8373873bed5da9ac9a97811d709f8c5ffbb/contracts/token/ERC20/ERC20.sol#L248-L266
Recommended Mitigation
Change it.
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/farming/LPFarming.sol#L85-L91
since
is.contract()
check ext.sizecode so it can being able to bypass this check it would be better using logical,msg.sender != tx.origins
.Tool Used
Manual Review
POC
https://solidity-by-example.org/hacks/contract-size/ https://ethereum.stackexchange.com/questions/1891/whats-the-difference-between-msg-sender-and-tx-origin