code-423n4 2023-02-malt-findings issues

code-423n4 / 2023-02-malt-findings

0 stars 0 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

Upgraded Q -> 2 from #17 [1678363178694]

#47 c4-judge closed 1 year ago
2
Upgraded Q -> 2 from #11 [1678055765655]

#45 c4-judge closed 1 year ago
2
Upgraded Q -> 2 from #3 [1678055596601]

#44 c4-judge closed 1 year ago
2
Gas Optimizations

#43 code423n4 opened 1 year ago
2
QA Report

#42 code423n4 opened 1 year ago
3
Cap is not applied when `runwayDeficit` = 0 in `RewardThrottle.updateDesiredAPR`

#41 code423n4 opened 1 year ago
5
`priceTarget` is inconsistent in `StabilizerNode.stabilize`

#40 code423n4 opened 1 year ago
2
`RewardThrottle.checkRewardUnderflow` can't distribute rewards because `fillInEpochGaps` updates `activeEpoch` when `RewardThrottle` is inactive

#39 code423n4 closed 1 year ago
5
An early check logic in `StabilizerNode.stabilize` prevents possible stabilization.

#38 code423n4 closed 1 year ago
4
`averageCashflowAPR` should return 0 when `startEpoch` = `endEpoch`

#37 code423n4 opened 1 year ago
5
The latest malt price can be less than the actual price target and `StabilizerNode.stabilize` will revert

#36 code423n4 opened 1 year ago
6
`LinearDistributor.declareReward` can revert due to dependency of balance

#35 code423n4 opened 1 year ago
5
`SwingTraderManager.swingTraders()` shoudn't contain duplicate `traderContract`s.

#34 code423n4 opened 1 year ago
4
`SwingTraderManager.sellMalt()` doesn't update `totalProfit` for some cases.

#33 code423n4 closed 1 year ago
3
`StabilizerNode.stabilize()` should update `lastTracking` as well to avoid an unnecessary incentive.

#32 code423n4 opened 1 year ago
2
`SwingTraderManager.addSwingTrader()` shouldn't push the `traderId` to `activeTraders` array if `active = false`.

#31 code423n4 closed 1 year ago
4
Average `APR`s might be calculated wrongly after calling `populateFromPreviousThrottle()`.

#30 code423n4 opened 1 year ago
2
`RewardThrottle._sendToDistributor()` reverts if one distributor is inactive.

#29 code423n4 opened 1 year ago
2
`LinearDistributor.declareReward()` might revert after changing `vestingDistributor`.

#28 code423n4 opened 1 year ago
3
`MaltDataLab.getActualPriceTarget()` reverts when `breakpointBps = 10000`.

#27 code423n4 opened 1 year ago
4
`Repository._updateContract()` should check if `_name` has a non-zero trader contract already.

#26 code423n4 opened 1 year ago
4
`Repository._removeContract()` removes the contract wrongly.

#25 code423n4 opened 1 year ago
4
`GlobalImpliedCollateralService.setPoolUpdater()` works wrongly when `_updater == oldUpdater`.

#24 code423n4 opened 1 year ago
3
`RewardThrottle.checkRewardUnderflow()` might track the cumulative `APR`s wrongly.

#23 code423n4 opened 1 year ago
3
StabilizerNode.stabilize may use undistributed rewards in the overflowPool as collateral

#22 code423n4 opened 1 year ago
5
RewardThrottle.setTimekeeper: If changing the timekeeper causes the epoch to change, it will mess up the system

#21 code423n4 opened 1 year ago
3
RewardThrottle: If an epoch does not have any profit, then there may not be rewards for that epoch at the start of the next epoch.

#20 code423n4 opened 1 year ago
5
Gas Optimizations

#19 code423n4 opened 1 year ago
3
Gas Optimizations

#18 code423n4 opened 1 year ago
2
QA Report

#17 code423n4 opened 1 year ago
2
Value of `totalProfit` might be wrong because of wrong logic in function `sellMalt()`

#16 code423n4 opened 1 year ago
5
Function `stabilize()` might always revert because of overflow since Malt contract use solidity 0.8

#15 code423n4 opened 1 year ago
2
Manipulation of `livePrice` to receive `defaultIncentive` in 2 consecutive blocks

#14 code423n4 opened 1 year ago
5
`latestSample` can be manipulation to make `stabilize()` calls always fail

#13 code423n4 closed 1 year ago
6
SwingTraderManager.addSwingTrader will push traderId with active = false to activeTraders

#12 code423n4 opened 1 year ago
5
QA Report

#11 code423n4 opened 1 year ago
2
_distributeProfit will use the stale globalIC.swingTraderCollateralDeficit()/swingTraderCollateralRatio(), which will result in incorrect profit distribution

#10 code423n4 opened 1 year ago
3
StabilizerNode.stabilize uses stale GlobalImpliedCollateralService data, which will make stabilize incorrect

#9 code423n4 opened 1 year ago
6
RewardThrottle.populateFromPreviousThrottle may be exposed to front-run attack

#8 code423n4 opened 1 year ago
3
Users can't remove liquidity while malt price is below peg defend threshold

#7 code423n4 closed 1 year ago
4
LinearDistributor.declareReward: previouslyVested may update incorrectly, which will cause some rewards to be lost

#6 code423n4 opened 1 year ago
3
MaltRepository._revokeRole may not work correctly

#5 code423n4 opened 1 year ago
2
sellMalt has a calculation error that can lead to excessive profits

#4 code423n4 closed 1 year ago
3
QA Report

#3 code423n4 opened 1 year ago
2
Agreements & Disclosures

#1 code423n4 opened 1 year ago
0