Platform: Code4rena
Start Date: 13/01/2022
Pot Size: $75,000 USDC
Total HM: 9
Participants: 27
Period: 7 days
Judge: leastwood
Total Solo HM: 5
Id: 73
League: ETH
Rank: 6/27
Findings: 2
Award: $3,491.80
🌟 Selected for report: 3
🚀 Solo Findings: 0
🌟 Selected for report: 0x1f8b
11.3746 LPT - $421.77
1159.9028 USDC - $1,159.90
0x1f8b
It's possible to deny burn to the admin.
The method burn in LivepeerToken it's vulnerable to front-running attack, if a user detect that the owner want to burn his tokens, he can always transfer the tokens to another account, and make burn fail. This contract should implement Pausable logic.
Manual review.
Inherit Pausable in LivepeerToken .
#0 - yondonfu
2022-01-24T01:53:15Z
Severity: 1 (Low)
If a user does this, this would just affect the L2LPTGateway which has the burner role. But, this would also prevent the user from executing outboundTransfer in the L2LPTGateway since the burn() call in that function would fail making this unlikely to happen.
#1 - 0xleastwood
2022-01-29T23:35:25Z
Agree with sponsor.
🌟 Selected for report: 0x1f8b
11.3746 LPT - $421.77
1159.9028 USDC - $1,159.90
0x1f8b
Possible frozen gateway.
Even though this logic is intentional, it is necessary to mention that the ControlledGateway contract allows to pause its functionality and consequently revoke or give up the administrator role and the pausable role, which would finally leave the contract permanently and irrevocably useless.
Manual review.
Prevent revoke role if the contract is paused.
#0 - yondonfu
2022-01-24T01:49:48Z
Not planning on changing this as the admin is highly unlikely to do this ever in practice.
🌟 Selected for report: 0x1f8b
0.8082 LPT - $29.97
82.4134 USDC - $82.41
0x1f8b
Gas saving.
Remove DelegatorPool.transferBond and use inline implementation, this method only call another method, and it's used only once, is not required.
Manual review.
Remove DelegatorPool.transferBond and use inline implementation.
#0 - yondonfu
2022-01-24T01:53:45Z
Likely won't change because the helper helps with code readability.
0.0614 LPT - $2.28
6.2568 USDC - $6.26
0x1f8b
Gas saving.
There are some methods where the increment was made by i++, it's better to use ++i.
Gas saving
Use ++i
#0 - yondonfu
2022-01-23T14:04:09Z
1.4926 LPT - $55.34
152.2025 USDC - $152.20
0x1f8b
requireValidMigration bypass.
The logic of the method requireValidMigration inside the contract L1Migrator could be bypassed.
The code doesn't check that the _l1Addr it's different than address(0).
require( msg.sender == _l1Addr || recoverSigner(_structHash, _sig) == _l1Addr, "L1Migrator#requireValidMigration: FAIL_AUTH" );
And the code recoverSigner has a condition to return address(0) if the signature is empty.
if (_sig.length == 0) { return address(0); }
So if the user send an empty signature (_sig='') and _l1Addr=address(0) during the call of requireValidMigration it will bypass the logic and bypass the signature verification. This can produce important errors in all the methods that delegate this verification to this method.
Afected methods:
Manual review.
Check that _l1Addr is not address(0) inside requireValidMigration.
#0 - yondonfu
2022-01-23T13:47:05Z