- Total Prize Pool: $11,000 USDC
- Warden guidelines for C4 mitigation reviews
- Submit findings using the C4 form
- Starts March 16, 2023 20:00 UTC
- Ends March 21, 2023 20:00 UTC
Each warden must submit a mitigation review for:
- Every High and Medium finding listed below, and
- one report each for the Gas and QA fixes.
For the Gas and QA mitigation reports:
- Write a headline for each specific finding, that indicates whether the specific finding was fixed
- Add any additional information for each finding below each headline
Incomplete mitigation reviews will not be eligible for awards.
- H-01: TRANSFERING KIBToken TO YOURSELF INCREASES YOUR BALANCE
- M-01: KUMABondToken.approve() should revert if the owner of the tokenId is blacklisted
- M-02: KUMAFeeCollector.changePayees() executes incorrectly when newPayees contains duplicate items
- M-03: Price feed in MCAGRateFeed#getRate is not sufficiently validated and can return stale price
- M-04: KUMASwap incorrectly reverts when when _maxCoupons has been reached
- QA Reports including #19, #7, #23, and #15.
- Gas Report
This mitigation adds validation to state modifications and oracles in the KIBT, KUMASwap, MCAGRateFeed, and KUMABondToken contracts, in addition to gas optimizations and QA fixes.
Wherever possible, mitigations should be provided in separate pull requests, one per issue. If that is not possible (e.g. because several audit findings stem from the same core problem), then please link the PR to all relevant issues in your findings repo.
| URL | Mitigation of | Purpose |
|---|---|---|
| code-423n4/2023-02-kuma#3 | H-01 | This mitigation adds a check disallowing transfer to self in KIBT _transfer |
| code-423n4/2023-02-kuma#4 | M-01 | This mitigation adds a check that the owner of a KUMABondToken approve call is not black listed |
| code-423n4/2023-02-kuma#5 | M-02 | This mitigation adds a duplicate payees check in KUMAFeeCollector changePayees |
| code-423n4/2023-02-kuma#6 | M-03 | This mitigation adds a staleness threshold check to MCAGRateFeed |
| code-423n4/2023-02-kuma#7 | M-04 | This mitigation fixes the logic in KUMASwap sellBond revert for when maxCoupons has been reached |
| code-423n4/2023-02-kuma#8 | QA | This mitigation adds QA fixes - see PR for specific fixes |
| code-423n4/2023-02-kuma#9 | GAS | This mitigation adds GAS fixes - see PR for specific fixes |
| code-423n4/2023-02-kuma#10 | term-fix | This mitigation refactors bond.term to months instead of seconds |
All high and medium issues were mitigated.