Back to 0x29A's contests

Canto v2 contest - 0x29A's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 28/06/2022

Pot Size: $25,000 USDC

Total HM: 14

Participants: 50

Period: 4 days

Judge: GalloDaSballo

Total Solo HM: 7

Id: 141

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 18/50

Findings: 2

Award: $107.38

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: zzzitron

Also found by: 0v3rf10w, 0x1f8b, 0x29A, AlleyCat, Bnke0x0, Chom, Funen, JC, Lambda, Limbooo, Meera, Picodes, Sm4rty, TerrierLover, TomJ, __141345__, asutorufos, aysha, c3phas, cccz, defsec, fatherOfBlocks, grGred, hake, ignacio, ladboy233, mrpathfindr, oyc_109, rfa, sach1r0, samruna, slywaters, ynnad

Awards

56.5262 USDC - $56.53

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Non-critical

[N-01] Lint error

manifest-v2/contracts/Proposal-Store.sol:

  • L9: 8 spaces to 4 spaces
  • L37, L38, L39: 4 spaces to 8 spaces
  • L35, L42: The constructor and the AddProposal function have many parameters, align these on lines to improve clarity
constructor(
    uint propId, 
    string memory title, 
    string memory desc, 
    address[] memory targets,
    uint[] memory values, 
    string[] memory signatures, 
    bytes[] memory calldatas
) {

[N-02] Wrong comment

manifest-v2/contracts/Proposal-Store.sol, L6, L7: This comment it's wrong maybe was a mistake from ERC20DirectBalanceManipulation contract copy-paste, remove it and add one

[N-03] Missing event emitting

Each function that changes the state of the contract should have an associated event to facilitate off-chain monitoring

manifest-v2/contracts/Proposal-Store.sol: The constructor and the AddProposal function should emit an event when add a proposal to the proposals array

[N-04] The names of the functions should be start in lower case

manifest-v2/contracts/Proposal-Store.sol, L42, L31, L49 the names of the functions should be start in lower case: addProposal and queryProp; also the name of the vars UniGovModAcct

[N-05] Non-library/interface files should use fixed compiler versions, not floating ones

Proposal-Store.sol#L3

lending-market-v2/contracts/Accountant/AccountantDelegator.sol:1:pragma solidity ^0.8.10;
lending-market-v2/contracts/Accountant/AccountantInterfaces.sol:1:pragma solidity ^0.8.10;
lending-market-v2/contracts/Accountant/AccountantDelegate.sol:1:pragma solidity ^0.8.10;
lending-market-v2/contracts/BaseJumpRateModelV2.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/CDaiDelegate.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/CErc20.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/CErc20Delegate.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/CErc20Delegator.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/CErc20Immutable.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/CEther.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/CNote.sol:1:pragma solidity ^0.8.10;
lending-market-v2/contracts/CToken.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/CTokenInterfaces.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Comptroller.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/ComptrollerG7.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/ComptrollerStorage.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/DAIInterestRateModelV3.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/ErrorReporter.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/ExponentialNoError.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Governance/GovernorAlpha.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Governance/GovernorBravoInterfaces.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Governance/GovernorBravoDelegate.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Governance/Comp.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Governance/GovernorBravoDelegator.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/InterestRateModel.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/JumpRateModel.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/JumpRateModelV2.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Lens/CompoundLens.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Maximillion.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Note.sol:1:pragma solidity ^0.8.10;
lending-market-v2/contracts/NoteInterest.sol:1:pragma solidity ^0.8.10;
lending-market-v2/contracts/PriceOracle.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Reservoir.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/SimplePriceOracle.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Stableswap/test/calculations.sol:3:pragma solidity ^0.8.6;
lending-market-v2/contracts/Timelock.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/Treasury/TreasuryDelegator.sol:1:pragma solidity ^0.8.10;
lending-market-v2/contracts/Treasury/TreasuryDelegate.sol:1:pragma solidity ^0.8.10;
lending-market-v2/contracts/Unitroller.sol:2:pragma solidity ^0.8.10;
lending-market-v2/contracts/WhitePaperInterestRateModel.sol:2:pragma solidity ^0.8.10;

[N-06] Remove hardhat/console.sol

Remove the hardhat/console.sol on BaseV1-core.sol#L4 and the console.log function calls

Remove the hardhat/console.sol on CErc20.sol#L5 and the console.log function calls

Remove the hardhat/console.sol on AccountantDelegate.sol#L7 and the console.log function calls

#0 - eugenioclrc

2022-07-08T19:06:12Z

[N-06] is a high; https://github.com/code-423n4/2022-06-NewBlockchain-v2-findings/issues/91

#1 - GalloDaSballo

2022-08-13T19:52:16Z

Disagree with N-06 being High Severity. Console.log will just emit an event

#2 - GalloDaSballo

2022-08-14T20:14:17Z

[N-01] Lint error

NC

[N-02] Wrong comment

NC

## [N-03] Missing event emitting NC

[N-04] The names of the functions should be start in lower case

R

[N-05] Non-library/interface files should use fixed compiler versions, not floating ones

R

[N-06] Remove hardhat/console.sol

R

3R 3NC

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: 0x29A, 0xArshia, 0xKitsune, Bnke0x0, Chom, Fitraldys, Funen, JC, Lambda, Meera, Noah3o6, Picodes, RedOneN, Rohan16, Sm4rty, TerrierLover, TomJ, Tomio, Waze, ajtra, c3phas, cRat1st0s, defsec, durianSausage, fatherOfBlocks, grGred, hake, ladboy233, m_Rassska, mrpathfindr, oyc_109, rfa, ynnad

Awards

50.848 USDC - $50.85

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

[G-01] PUBLIC FUNCTIONS TO EXTERNAL FUNCTIONS

The following functions could be set external to save gas and improve code quality External call cost is less expensive than of public functions

manifest-v2/contracts/Proposal-Store.sol:

L42, L43: AddProposal(uint propId, string memory title, string memory desc, address[] memory targets,
                        uint[] memory values, string[] memory signatures, bytes[] memory calldatas)
L49: function QueryProp(uint propId)

[G-02] CALLDATA INSTEAD OF MEMORY FOR FUNCTION PARAMETERS

If a reference type function parameter is read-only, it is cheaper in gas to use calldata instead of memory. Calldata is a non-modifiable, non-persistent area where function arguments are stored, and behaves mostly like memory.

Try to use calldata as a data location because it will avoid copies and also makes sure that the data cannot be modified.

  • As long as there is room in the stack

Instances include:

manifest-v2/contracts/Proposal-Store.sol, L42, L43:

function AddProposal(uint propId, string calldata title, string calldata desc, address[] calldata targets,
                        uint[] calldata values, string[] calldata signatures, bytes[] memory calldatas) public {

[G-03] Remove id of the struct

In manifest-v2/contracts/Proposal-Store.sol, L13: Should remove the uint id; from the struct and use an event to register the AddProposal This also improve the QueryProp function becouse don't need check the id with an if and only return the proposal:

function QueryProp(uint propId) public view returns(Proposal memory){
    return proposals[propId];
}

State variables can be declared as immutable

name and symbol vars should be flagged as immutable to save gas BaseV1-core.sol#L41-L42

diff --git a/contracts/Stableswap/BaseV1-core.sol b/contracts/Stableswap/BaseV1-core.sol
index 0a04612..0065811 100644
--- a/contracts/Stableswap/BaseV1-core.sol
+++ b/contracts/Stableswap/BaseV1-core.sol
@@ -38,8 +38,8 @@ interface IBaseV1Callee {
 // The base pair of pools, either stable or volatile
 contract BaseV1Pair {
 
-    string public name;
-    string public symbol;
+    string public immutable name;
+    string public immutable symbol;
     uint8 public constant decimals = 18;

#0 - GalloDaSballo

2022-08-15T23:46:29Z

Immutables 4200

Rest will save less than 100 gas

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter