I recently analyzed the report of a contest I participated in - ECG (
@CreditGuild
) on C4. It was my first big protocol.
There were some very interesting insights I gained for myself, like:
"Valuable, low duplicate bugs != complex bugs. Which also does not mean they are easy to…
I'm gonna present you with 3 findings from this contest that are simple to grasp, yet only a few have discovered them.
I'll try to analyze and reason on what empowered those auditors to find them.
In total there were 28 H/M valid findings, most of which were heavily duplicated.…
First let me give you some context on the protocol, so that you can easily follow my chain of thought
🗒️ Note
Even though the protocol is a bit complicated, fear NOT! There won't be anything complex in my analysis. Quite the contrary - I'll extract the alpha and place it on your…
Finding
#1
Title
Inability to withdraw funds for certain users due to protocol being paused
🐛The bug
1. Holders of CREDIT can call stake() to start earning yield on it
2. Holders call unstake() to get their CREDIT + yield. However unstake() internally calls mint() to add the…
Finding
#2
Title
Users can deflate other markets Guild holders rewards by staking less priced token
🐛The bug
1. Lenders deposit assets and receive CREDIT tokens
2. They `stake()` them in a particular market and earn fees from the borrowers of that market - each…
# Last one, I promise
Title
Inability to offboard lendingTerm twice in a 7-day period
🐛The bug
1. DAO token holders can vote to onboard() a new LendingTerm (market) that will be made available to borrowers
2. In case the LendingTerm becomes risky, the DAO can vote to…
Let's recap the valuable insights:
🧠For a finding to be considered unique and valuable it does not always have to be complex
🧠The fact that some bug is simple to understand, should not mean it is simple to be found
🧠 When you audit big codebases, you should not lose sight of…
@xb0g0
@CreditGuild
Great tips man. Thanks.
I am currently auditing a protocol and the current state only has one asset but it plans to release more assets in the future.
I'll be looking at possible futures states now.