Back to Awesome's contests

Redacted Cartel contest - Awesome's results

Boosted GMX assets from your favorite liquid token wrapper, Pirex - brought to you by Redacted Cartel.

General Information

Platform: Code4rena

Start Date: 21/11/2022

Pot Size: $90,500 USDC

Total HM: 18

Participants: 101

Period: 7 days

Judge: Picodes

Total Solo HM: 4

Id: 183

League: ETH

Redacted Cartel

Findings Distribution

Researcher Performance

Rank: 77/101

Findings: 1

Award: $53.49

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRedacted Cartel

Findings Information

🌟 Selected for report: 0xSmartContract

Also found by: 0xAgro, 0xNazgul, 0xPanda, 0xbepresent, 0xfuje, Awesome, B2, Bnke0x0, Deivitto, Diana, Funen, Jeiwan, JohnSmith, Josiah, R2, RaymondFam, Rolezn, Sathish9098, Waze, adriro, aphak5010, brgltd, btk, carrotsmuggler, ch0bu, chaduke, codeislight, codexploder, cryptostellar5, csanuragjain, danyams, datapunk, delfin454000, deliriusz, eierina, erictee, fatherOfBlocks, gz627, gzeon, hansfriese, hihen, jadezti, joestakey, keccak123, martin, nameruse, oyc_109, pedr02b2, perseverancesuccess, rbserver, rotcivegaf, rvierdiiev, sakshamguruji, shark, simon135, subtle77, unforgiven, xiaoming90, yixxas

Awards

53.4851 USDC - $53.49

Labels

bug
grade-b
QA (Quality Assurance)
edited-by-warden
Q-58

External Links

Link to GitHub issue

1. Event log poisoning in distributeFees()

distributeFees() is an external function that can be called by anyone who inputs a token, but there is no data validation to check if token are non-zero. So user can continuously call distributeFees()` with an input of a non-zero value

Affected line of code: Line 100-116

2. Use delete to clear variables

rather than using a zero assignment a better way of signifying the intent is to use delete.

There are 2 instances where this can be implemented:

Line 118, Line 391

File: vaults/PxGmxReward.sol
Line 118:    userRewardStates[msg.sender].rewards = 0;

File: src/PirexRewards.sol
Line 391:    p.userStates[user].rewards = 0;

Could be refactored to as

File: vaults/PxGmxReward.sol
Line 118:    delete userRewardStates[msg.sender].rewards = 0;

File: src/PirexRewards.sol
Line 391:    delete p.userStates[user].rewards = 0;

3. Absent NatSpec comments

Consider providing NatSpec as it is good for readability, debugging, further development etc.

Consider following the official NatSpec comment guidelines to make the contract more readable. https://docs.soliditylang.org/en/develop/natspec-format.html

Affected contracts:

interfaces/IPirexRewards.sol, interfaces/IProducer.sol, interfaces/IAutoPxGlp.sol, src/Common.sol

#0 - c4-judge

2022-12-04T20:28:00Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter