Platform: Code4rena
Start Date: 12/07/2022
Pot Size: $75,000 USDC
Total HM: 16
Participants: 100
Period: 7 days
Judge: LSDan
Total Solo HM: 7
Id: 145
League: ETH
Rank: 61/100
Findings: 2
Award: $118.80
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 8olidity, Aussie_Battlers, Bnke0x0, Ch_301, Critical, Deivitto, Dravee, ElKu, Funen, GimelSec, JC, JohnSmith, Lambda, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, TomJ, Waze, _Adam, __141345__, alan724, asutorufos, benbaessler, berndartmueller, bin2chen, brgltd, bulej93, c3phas, cRat1st0s, cryptonue, cryptphi, csanuragjain, delfin454000, dxdv, exd0tpy, fatherOfBlocks, gogo, hake, hyh, joestakey, kyteg, lcfr_eth, minhtrng, p_crypt0, pashov, pedr02b2, philogy, rajatbeladiya, rbserver, rishabh, robee, rokinot, sach1r0, sashik_eth, seyni, simon135, svskaushik, zuhaibmohd, zzzitron
78.9385 USDC - $78.94
return statement when the function defines a named return variable, is redundantFile: contracts/dnssec-oracle/DNSSECImpl.sol: 138 139: return rrset; 140 }
Missing: @param rrset
File: contracts/dnssec-oracle/DNSSECImpl.sol: #1 179 * @param name The name of the RRSIG record, in DNS label-sequence format. 180 * @param data The original data to verify. 181 * @param proof A DS or DNSKEY record that's already verified by the oracle. 182 */ 183: function verifySignature(bytes memory name, RRUtils.SignedSet memory rrset, RRSetWithSignature memory data, bytes memory proof) internal view { 184 // o The RRSIG RR's Signer's Name field MUST be the name of the zone File: contracts/dnssec-oracle/DNSSECImpl.sol: #2 232 */ 233: function verifySignatureWithKey(RRUtils.DNSKEY memory dnskey, bytes memory keyrdata, RRUtils.SignedSet memory rrset, RRSetWithSignature memory data) 234 internal File: contracts/wrapper/NameWrapper.sol L401: function upgradeETH2LD( string calldata label, address wrappedOwner, address resolver
Missing: @param resolver
File: contracts/registry/ReverseRegistrar.sol L132: function setNameForAddr( address addr, address owner, address resolver, string memory name ) public override returns (bytes32) { L76: function claimForAddr( address addr, address owner, address resolver
Missing: @param: expiry
File: contracts/wrapper/NameWrapper.sol L271: function renew( uint256 tokenId, uint256 duration, uint64 expiry
There are no null checks in the multiplyPowerBase2() function, so can mistakenly pass 0x0 to that function, which will cause the for-loop to revert when that asset is reached.
File: contracts/dnssec-oracle/algorithms/EllipticCurve.sol function multiplyPowerBase2(uint x0, uint y0, uint exp) internal pure returns (uint, uint) { uint base2X = x0; uint base2Y = y0; uint base2Z = 1; for(uint i = 0; i < exp; i++) { (base2X, base2Y, base2Z) = twiceProj(base2X, base2Y, base2Z); } return toAffinePoint(base2X, base2Y, base2Z); }
File: contracts/dnssec-oracle/Owned.sol: 17 18: function setOwner(address newOwner) public owner_only { 19 owner = newOwner;
🌟 Selected for report: 0xKitsune
Also found by: 0x040, 0x1f8b, 0x29A, 0xNazgul, 0xNineDec, 0xsam, 8olidity, Aussie_Battlers, Aymen0909, Bnke0x0, CRYP70, Ch_301, Chom, Deivitto, Dravee, ElKu, Fitraldys, Funen, GimelSec, IllIllI, JC, JohnSmith, Lambda, MiloTruck, Noah3o6, RedOneN, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Tomio, Waze, _Adam, __141345__, ajtra, ak1, arcoun, asutorufos, benbaessler, brgltd, bulej93, c3phas, cRat1st0s, cryptonue, delfin454000, durianSausage, fatherOfBlocks, gogo, hake, hyh, joestakey, karanctf, kyteg, lcfr_eth, lucacez, m_Rassska, rajatbeladiya, rbserver, robee, rokinot, sach1r0, sahar, samruna, sashik_eth, seyni, simon135, zuhaibmohd
39.8564 USDC - $39.86
Code architecture, incentives, and error handling/reporting questions/issues should be resolved before deployment
File: contracts/dnssec-oracle/DNSSECImpl.sol: 237 { 238: // TODO: Check key isn't expired, unless updating key itself 239
File: contracts/ethregistrar/ETHRegistrarController.sol function valid(string memory name) public pure returns (bool) { return name.strlen() >= 3; } File: contracts/ethregistrar/StablePriceOracle.sol function attoUSDToWei(uint256 amount) internal view returns (uint256) { uint256 ethPrice = uint256(usdOracle.latestAnswer()); return (amount * 1e8) / ethPrice; } function weiToAttoUSD(uint256 amount) internal view returns (uint256) { uint256 ethPrice = uint256(usdOracle.latestAnswer()); return (amount * ethPrice) / 1e8; }
Even memory arrays incur the overhead of bit tests and bit shifts to calculate the array length. Storage array length checks incur an extra Gwarmaccess (100 gas) PER-LOOP.
File: contracts/dnssec-oracle/DNSSECImpl.sol: 92 bytes memory proof = anchors; 93: for(uint i = 0; i < input.length; i++) { 94 RRUtils.SignedSet memory rrset = validateSignedSet(input[i], proof, now); File: contracts/dnssec-oracle/RRUtils.sol: 285 * uint ac; 286: * for (uint i = 0; i < data.length; i++) { 287 * ac += i & 1 == 0 ? uint16(data.readUint8(i)) << 8 : data.readUint8(i); File: contracts/ethregistrar/BulkRenewal.sol: 40 ETHRegistrarController controller = getController(); 41: for (uint256 i = 0; i < names.length; i++) { 42 IPriceOracle.Price memory price = controller.rentPrice( 55 ETHRegistrarController controller = getController(); 56: for (uint256 i = 0; i < names.length; i++) { 57 IPriceOracle.Price memory price = controller.rentPrice( File: contracts/ethregistrar/ETHRegistrarController.sol: 255 bytes32 nodehash = keccak256(abi.encodePacked(ETH_NODE, label)); 256: for (uint256 i = 0; i < data.length; i++) { 257 // check first few bytes are namehash File: contracts/ethregistrar/StringUtils.sol: 12 uint i = 0; 13: uint bytelength = bytes(s).length; 14 for(len = 0; i < bytelength; len++) { File: contracts/resolvers/Multicallable.sol: 9 results = new bytes[](data.length); 10: for(uint i = 0; i < data.length; i++) { 11 (bool success, bytes memory result) = address(this).delegatecall(data[i]); File: contracts/wrapper/ERC1155Fuse.sol: 91 92: for (uint256 i = 0; i < accounts.length; ++i) { 93 batchBalances[i] = balanceOf(accounts[i], ids[i]); 204 205: for (uint256 i = 0; i < ids.length; ++i) { 206 uint256 id = ids[i];