Back to 0x1f8b's contests

prePO contest - 0x1f8b's results

Gain exposure to pre-IPO companies & pre-token projects.

General Information

Platform: Code4rena

Start Date: 17/03/2022

Pot Size: $30,000 USDC

Total HM: 8

Participants: 43

Period: 3 days

Judge: gzeon

Total Solo HM: 5

Id: 100

League: ETH

prePO

Findings Distribution

Researcher Performance

Rank: 20/43

Findings: 2

Award: $97.23

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryprePO

Findings Information

🌟 Selected for report: defsec

Also found by: 0x1f8b, 0xDjango, 0xNazgul, 0xkatana, 0xwags, CertoraInc, Funen, GeekyLumberjack, GreyArt, IllIllI, Kenshin, Ruhum, TerrierLover, WatchPug, berndartmueller, bugwriter001, cccz, cmichel, csanuragjain, hake, kenta, kirk-baird, leastwood, minhquanym, oyc_109, peritoflores, rayn, remora, rfa, robee, saian, samruna, sorrynotsorry, wuwe1

Awards

60.1124 USDC - $60.11

Labels

bug
QA (Quality Assurance)
sponsor disputed

External Links

Link to GitHub issue
  1. There are a lack of input checks around the contracts:
  1. Methods and code without comments. Comments are missing which makes review difficult and reduces the quality of the code.
  2. Logic prone to reentrancy errors. When the amount exceed the total allowed to withdraw, instead of fault the transaction it set the amount to 0.
  1. The use of clearAllowedAccounts should force to change the _root, otherwise the users can use allowSelf to be allowed again.
  1. Some methods doesn't check the result of the approve, transfer and transferFrom calls. ERC20 standard specify that the token can return false if the transfer was not made, so it's mandatory to check the result of this calls.
  1. In PrePOMarketFactory Is not checked that _deployedMarkets[_salt] already exists, so a possible collision could occur and change the stored market entry.
  1. Use delete instead of set to default value (false or 0)

#0 - ramenforbreakfast

2022-03-22T22:20:02Z

1 and 2 are too vague for me to consider as valid submissions. 3 needs to demonstrate how such a situation would occur. 4 is not an issue, this is why we have setRootAndClearAllowedAccounts to perform this atomically. 5 is a duplicate of #4. 6 is a duplicate of #2. 7 is a minor change and does not explain the benefits of doing this.

Findings Information

🌟 Selected for report: Dravee

Also found by: 0v3rf10w, 0x1f8b, 0xNazgul, 0xkatana, 0xngndev, 0xwags, CertoraInc, Funen, GreyArt, IllIllI, Jujic, Kenshin, Kiep, Tadashi, TerrierLover, Tomio, WatchPug, berndartmueller, defsec, hake, kenta, minhquanym, oyc_109, rayn, rfa, robee, saian, samruna

Awards

37.1175 USDC - $37.12

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue
  1. It's possible to avoid storage access a save gas using immutable keyword for the following variables:
  1. Using one map address=>Enum, with four values: None, Allowed, Blocked, Allowed And Blocked it's possible to save storage slots, and storage calls for checking if the account is allowed but not blocked, like here.
  1. Use delete instead of store the entries in another index can save a lot of storage access.
  1. Change the incremental logic from i++ to ++i in order to save some opcodes:
  1. Remove unneeded cast.
  1. It's compared a boolean value using == true or == false, instead of using the boolean value, or NOT opcode, it's cheaper to use NOT when the value it's false, or just the value without == true, when it's true, because it will use less opcode inside the VM.

#0 - ramenforbreakfast

2022-03-22T22:14:03Z

1,4,6 are duplicates of #5 2 and 3 are suggestions that would add additional complexity and have its own trade-offs. I consider these invalid. 5 is a nit that is valid, but I will mark this issue as a duplicate.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter