Platform: Code4rena
Start Date: 26/07/2022
Pot Size: $75,000 USDC
Total HM: 29
Participants: 179
Period: 6 days
Judge: LSDan
Total Solo HM: 6
Id: 148
League: ETH
Rank: 139/179
Findings: 1
Award: $35.17
馃専 Selected for report: 0
馃殌 Solo Findings: 0
馃専 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0xA5DF, 0xDjango, 0xLovesleep, 0xNazgul, 0xNineDec, 0xSmartContract, 0xackermann, 0xc0ffEE, 0xf15ers, 0xmatt, 0xsanson, 0xsolstars, 8olidity, AuditsAreUS, Bahurum, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chom, CryptoMartian, Deivitto, DevABDee, Dravee, ElKu, Franfran, Funen, GalloDaSballo, GimelSec, GiveMeTestEther, Green, JC, Jmaxmanblue, JohnSmith, Jujic, Junnon, Kenshin, Krow10, Kumpa, Lambda, MEP, Maxime, MiloTruck, Mohandes, NoamYakov, Picodes, RedOneN, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, Soosh, StErMi, StyxRave, Tadashi, TomJ, Treasure-Seeker, TrungOre, Waze, _Adam, __141345__, ajtra, ak1, apostle0x01, arcoun, asutorufos, async, benbaessler, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, carlitox477, chatch, codetilda, codexploder, cryptonue, cryptphi, csanuragjain, cthulhu_cult, delfin454000, dipp, dirk_y, djxploit, ellahi, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, horsefacts, hyh, idkwhatimdoing, indijanc, jayfromthe13th, jayphbee, joestakey, kenzo, kyteg, lucacez, luckypanda, mics, minhquanym, obront, oyc_109, pedr02b2, rajatbeladiya, rbserver, reassor, robee, rokinot, rotcivegaf, sach1r0, saian, saneryee, sashik_eth, scaraven, shenwilly, simon135, sseefried, supernova, teddav, ych18, zuhaibmohd, zzzitron
35.1687 USDC - $35.17
Code Link: 2022-07-golom/GolomAirdrop.sol at main 路 code-423n4/2022-07-golom (github.com)
The impact is that it may affect the wrong calculation in calculating the rewards for users to claim their airdrops. The minimum lock duration should not be greater than the maximum lock duration. From the function changeLockDuration of GolomAirdrop.sol#L180-L183, we should ensure that the minimum duration is less than or equal to the maximum lock duration before assigning them to the variables. This helps to ensure the owner of the contract does not put wrongly minimum and maximum lock duration values.
Add require(min <= max, 'Owner: Minimum lock duration is greater than maximum lock duration'); before assigning values to the variables.
Code Link: 2022-07-golom/RewardDistributor.sol at main 路 code-423n4/2022-07-golom (github.com)
There might be cases where the total supply of reward token is zero, this makes the function addFee of RewardDistributor.sol#L98-L138 to divide zero while calculating tokenToEmit and stakerReward.
We should add require(rewardToken.totalSupply() > 0, 'total Supply of reward token is 0'); on line 104 to avoid the calculation of dividing zero.
Code Link: 2022-07-golom/RewardDistributor.sol at main 路 code-423n4/2022-07-golom (github.com)
If the total epoch fee is not positive, this will impact the calculation of traderClaim, exchangeClaim, traderRewards and exchangeRewards as all of these involve the calculation of diving total epoch fee. We would not like to have dividing zero occurs.
From RedeemDistributor#L126, we must ensure that there is ETH balance in contract at epoch 0. Besides, we also need to ensure the parameter fee of addFee function is positive as fee is the only variable to update for total epoch fee of the current epoch which is at RedeemDistributor#L136. Add require for the address(this).balance and fee to be positive should be able to solve this issue.