Back to 0x1f8b's contests

Biconomy Hyphen 2.0 contest - 0x1f8b's results

Next-Gen Multichain Relayer Protocol.

General Information

Platform: Code4rena

Start Date: 10/03/2022

Pot Size: $75,000 USDT

Total HM: 25

Participants: 54

Period: 7 days

Judge: pauliax

Total Solo HM: 10

Id: 97

League: ETH

Biconomy

Findings Distribution

Researcher Performance

Rank: 23/54

Findings: 2

Award: $534.45

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBiconomy

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, Dravee, IllIllI, PPrieditis, Ruhum, TerrierLover, WatchPug, XDms, benk10, berndartmueller, bitbopper, catchup, cmichel, cryptphi, csanuragjain, danb, defsec, gzeon, hagrid, hubble, jayjonah8, kenta, kyliek, minhquanym, rfa, robee, saian, samruna, throttle, ye0lde, z3s

Awards

474.777 USDT - $474.78

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue
  1. It seems that use an outdated version of openzeppelin, the current version is 4.5.0

"@openzeppelin/contracts": "4.3.0"

  1. Lack of ACK during pauser change Because an human error it's possible to set a new invalid pauser. When you want to change the pauser's address it's better to propose a new pauser, and then accept this role with the new wallet.
  1. Possible Denial of service by gas exhaustion
  1. Lack of input checks. If the owner set high values, the contract can be unusable, and the service could be denied.
  1. Logic mismatch. The logic around removeExecutor doesn't work as expected. It require to remove the address from the executors array, otherwise, the executor will be returned at getAllExecutors
  1. Lack of input checks. Is not checked that the address is a contract distinct to address(0).
  1. Integer underflow, if _baseToken doesn't exists the methods getUpdatedAccTokenPerShare and getRewardRatePerSecond are denied.
  1. The method setBaseGas should emit an event in order to be able to detect this call by dapps. It also lacks any input verification and can incur disproportionate costs to the user if it is misconfigured.

Findings Information

🌟 Selected for report: Dravee

Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, IllIllI, Jujic, Kenshin, Kiep, PPrieditis, TerrierLover, Tomio, WatchPug, antonttc, benk10, berndartmueller, bitbopper, csanuragjain, defsec, gzeon, hagrid, hickuphh3, kenta, minhquanym, oyc_109, pedroais, peritoflores, rfa, robee, saian, samruna, sirhashalot, throttle, wuwe1, z3s

Awards

59.6718 USDT - $59.67

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue
  1. It's possible to avoid storage access a save gas using immutable keyword for the following variables:
  1. Use delete instead of set to default value (false or 0)
  1. It's possible to optimize the following structs in order to save storage slots:
struct NFTInfo {
        address payable staker;
        uint256 rewardDebt;
        uint256 unpaidRewards;
        bool isStaked; // <- Move close to the address
    }
  1. Cache the constant value keccak256(xxxxxxxxxxxx) as a constant
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter