Platform: Code4rena
Start Date: 12/08/2022
Pot Size: $35,000 USDC
Total HM: 10
Participants: 126
Period: 3 days
Judge: Justin Goro
Total Solo HM: 3
Id: 154
League: ETH
Rank: 91/126
Findings: 1
Award: $32.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: oyc_109
Also found by: 0x1f8b, 0x52, 0xDjango, 0xLovesleep, 0xNazgul, 0xNineDec, 0xbepresent, 0xmatt, 0xsolstars, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, DecorativePineapple, Deivitto, Dravee, ElKu, Funen, GalloDaSballo, IllIllI, JC, JohnSmith, Junnon, KIntern_NA, Lambda, LeoS, MiloTruck, Noah3o6, PaludoX0, RedOneN, Respx, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, Ruhum, Sm4rty, TomJ, Vexjon, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, auditor0517, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, cRat1st0s, cryptphi, csanuragjain, d3e4, defsec, delfin454000, djxploit, durianSausage, ellahi, erictee, exd0tpy, fatherOfBlocks, gogo, jonatascm, ladboy233, medikko, mics, natzuu, neumo, p_crypt0, paribus, pfapostol, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, sach1r0, saneryee, seyni, sikorico, simon135, sseefried, wagmi, wastewa
32.1209 USDC - $32.12
VotingEscrow.sol doesn't have any checks in place and could accidentally transfer ownership to the wrong address.
Consider adding a two-step transfer. The first transaction would set the new owner as pending and the second would be called by the new owner to confirm the transfer
Contracts should be deployed with the same compiler version and flags that they have been designed and tested. Different compiler versions/flags may introduce bugs that affect the contract negatively. Locking the pragma helps avoid this.
Change to:
pragma solidity 0.8.3;
Since time is floored to weeks, max time should be 52 weeks instead of 365 days so that MAXTIME is divisible by weeks
Change to:
uint256 public constant MAXTIME = 52*WEEK;
Always going to be overwritten so waste of gas to declare it then overwrite it.
Change to:
uint256 public decimals;
All owner functions check that msg.sender == owner. Since it is repeated so many times, it would benefit readability if this check was added as a modifer
Implement OnlyOwner modifier and implement it on these functions
Comment indicates that user should use increaseAmount instead of createLock after using quitLock. This is impossible due to the require statement in L449 which would revert because lock.amount == 0.
Remove L449