Back to 0xDjango's contests

bunker.finance contest - 0xDjango's results

The easiest way to borrow against your NFTs.

General Information

Platform: Code4rena

Start Date: 03/05/2022

Pot Size: $50,000 USDC

Total HM: 4

Participants: 46

Period: 5 days

Judge: gzeon

Total Solo HM: 2

Id: 117

League: ETH

bunker.finance

Findings Distribution

Researcher Performance

Rank: 6/46

Findings: 3

Award: $507.30

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings Repositorybunker.finance

Findings Information

🌟 Selected for report: BowTiedWardens

Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, David_, Funen, GimelSec, IllIllI, Picodes, TerrierLover, WatchPug, bobi, cryptphi, csanuragjain, delfin454000, dirk_y, ellahi, fatherOfBlocks, hyh, ilan, jayjonah8, kebabsec, leastwood, oyc_109, robee, samruna, simon135, sorrynotsorry, throttle

Awards

161.1611 USDC - $161.16

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Issue #1 (Low) - Floating pragma

All contracts contain a floating pragma. It is recommended to deploy all contracts with a single, specific compiler version to reduce the risk of compiler-specific bugs and contracts deployed with different versions. In the case of the forked contacts, I recommend deploying with the exact version that the current live versions were deployed with.

E.g. https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/CErc20.sol#L1

Issue #2 (Low) - No ownership transfer pattern

It is recommended to implement an acceptOwnershipTransfer() function to reduce the risk of transferring ownership to the wrong account or zero address. The pattern would include a transferOwnership() function to set the pending new owner, and the acceptOwnershipTransfer() function would have to be called by the pending owner for the transfer to take effect.

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol#L731-L734

Issue #3 (Low) - lack of address(0) validation

When setting the address of the NFT oracle, the new address should be validated that it is not address(0).

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol#L771 https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol#L751

Issue #4 (Non-critical) - Coding practice: Interfaces should start with "I"

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/EIP20Interface.sol#L7

Issue #5 (Non-critical) - Coding practice: Only internal functions should start with "_"

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/Comptroller.sol#L731-L925

Findings Information

🌟 Selected for report: BowTiedWardens

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xkatana, Cityscape, Fitraldys, Funen, GimelSec, IllIllI, MaratCerby, Picodes, TerrierLover, Tomio, delfin454000, ellahi, fatherOfBlocks, hansfriese, ilan, joestakey, oyc_109, rfa, robee, samruna, simon135, slywaters, throttle

Awards

47.5594 USDC - $47.56

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Optimization #1 - For loop optimization

This for loop can be optimized by incrementing i within unchecked{}. The new pattern would be:

      for (uint i = 0; i < length;) {
          seizeTokens -= seizeAmounts[i];
          unchecked {
              ++i;
          }
      }

https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/CToken.sol#L1090-L1092

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter