A technical audit of Phuture finance

(Awarded: 200 USD)

Low-Medium severity issues

Uninitialised state variables

IndexLayout.factory is uninitialised when being used in _chargeAUMfees().

A possible exploit here would be to use factory.transfer() pre-emptively thus having a 0x00 address.

Multiplication on Division

In the core contracts, there are two instances where multiplication is done on a result of division. This might result in loss of precision in precision-sensitive DeFi contracts.

value = (oracle.convertToIndex(minAmountInBase, decimals()) * totalSupply()) / oracle.convertToIndex(lastAssetBalanceInBase, decimals());

Found here (line 77 and 85) and here. Please note, FullMath.sol library also does this, but it seems to be a well audited third party library, thus not mentioning here.

Why should you care: Solidity integer division might truncate. As a result, performing multiplication before division can sometimes avoid loss of precision.

Dependency-based Vulnerabilities

Phuture core contracts use UniswapV2OracleLibrary here which might result in violation of SWC-116 - while not severe, it is usually suggested to not use timestamp from Blocks.

Strict Operators

Should not be an issue here, but IndexLogic has a strict unequality here - usually not recommended due to possible workaround exploits using this strict condition. Just wanted to point out.

Zero Checks

BaseIndex.mint(address)._recipient doesn't have a zero address check which can potentially be used to drain balance via indirect exploits.

Re-entrancies

 function reweight() external override onlyRole(ORDERER_ROLE) {
        (bool success, bytes memory data) = IIndexFactory(factory).reweightingLogic().delegatecall(
            abi.encodeWithSelector(ITopNMarketCapIndexReweightingLogic.reweight.selector, category, snapshot, topN)
        );
        if (!success) {
            if (data.length == 0) {
                revert("TopNMarketCapIndex: REWEIGH_FAILED");
            } else {
                assembly {
                    revert(add(32, data), mload(data))
                }
            }
        }
        snapshot = abi.decode(data, (uint));
    }

Found here. There is a medium severity re-entrancy vulnerability here. While the role is limited, but a wrong chain of executions can allow for re-entrancy via snapshot = abi.decode(data, (uint)); here.

There are other benign re-entrancies that do not need reporting or concern as far as I can tell, but here are a few examples anyway.

  • BaseIndex.constructor(address) (contracts/BaseIndex.sol#33-40)
  • ManagedIndexReweightingLogic.reweight(address[],uint8[]) (contracts/ManagedIndexReweightingLogic.sol#28-105)

Favoring Pull over Push

I couldn't find a direct violation of this standard, but I did notice a lot of calls inside loops. This is often neccessary in complex DeFi protocols but causes low efficiency.

Last changed by 
โ€‰
Abhinav Srivastava
0
346

Read more

Clay

Support responses

Apr 13, 2024
The state of statelessness

Statelessness is important in Ethereum as it allows for nodes that sync fast to be used, increasing trust assumptions for users due to an increased decentralised verification system. It is also great for state resurrection should we ever decide to prune out the stale state or even delete less relevant states. We will likely keep a state stored elsewhere instead of on full nodes, and should we ever need it, clients can use stateless blocks for execution and verification.

Jun 18, 2023
Notes on NetSec

Perfect secrecy

May 12, 2023
Project Name: Simple User Management App

Project Description: This project aims to develop a Django application that provides a simple email and password authentication system to allow users to sign up and log in. Additionally, the application allows listing all registered users. The project will use Django REST Framework (DRF) to develop a RESTful API. SQLite will be used as the database. Functional Requirements: User Sign Up: The user should be able to sign up by providing their email and password. User Login: The user should be able to log in with their email and password. User List: The application should allow listing all registered users. Authentication: The application should verify the user's credentials before granting access to their account. Authorization: Only authenticated users should be able to access the user list.

Apr 14, 2023
Read more from Abhinav Srivastava
Published on HackMD