PartyDAO contest - B2's results

A protocol for buying, using, and selling NFTs as a group.

General Information

Platform: Code4rena

Start Date: 12/09/2022

Pot Size: $75,000 USDC

Total HM: 19

Participants: 110

Period: 7 days

Judge: HardlyDifficult

Total Solo HM: 9

Id: 160

League: ETH

PartyDAO

Findings Distribution

Researcher Performance

Rank: 59/110

Findings: 2

Award: $117.69

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PartyDAO

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xDanielC, 0xNazgul, 0xSmartContract, 0xbepresent, Anth3m, Aymen0909, B2, CRYP70, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Funen, JC, JansenC, Jeiwan, KIntern_NA, MasterCookie, MiloTruck, Olivierdem, PaludoX0, R2, RaymondFam, ReyAdmirado, StevenL, The_GUILD, Tomo, Trust, V_B, __141345__, asutorufos, ayeslick, bin2chen, brgltd, bulej93, c3phas, cccz, ch0bu, cryptphi, csanuragjain, d3e4, delfin454000, djxploit, erictee, fatherOfBlocks, gogo, hansfriese, indijanc, ladboy233, leosathya, lukris02, malinariy, martin, pedr02b2, pfapostol, rvierdiiev, slowmoses, smiling_heretic, tnevler, wagmi

Awards

82.3372 USDC - $82.34

Labels

bug

low quality report

QA (Quality Assurance)

sponsor acknowledged

External Links

Link to GitHub issue

Public function that could be declared external

Missing zero address validation

Unlocked Pragma

MULTIPLE UINT256 MAPPINGS CAN BE COMBINED INTO A SINGLE MAPPING OF AN UNIT256 TO A STRUCT, WHERE APPROPRIATE

Dependence on block.timestamp is risky as it can be manipulated by miners

APPROVE should be replaced with SAFEAPPROVE or SAFEINCREASEALLOWANCE()/SAFEDECREASEALLOWANCE()

approve is subject to a known front-runnning attack. Consider using safeApprove instead. Instances are below:

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnZoraProposal.sol#L143

Multiple return statements used

#0 - 0xble
2022-09-26T01:37:06Z

Unhelpful bot report

#1 - HardlyDifficult
2022-10-03T22:41:27Z

Merging with https://github.com/code-423n4/2022-09-party-findings/issues/95

Findings Information

🌟 Selected for report: CertoraInc

Also found by: 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xNazgul, 0xSmartContract, 0xkatana, Amithuddar, Aymen0909, B2, Bnke0x0, CRYP70, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diraco, Fitraldys, Funen, IgnacioB, JAGADESH, JC, Lambda, LeoS, Matin, Metatron, MiloTruck, Noah3o6, Ocean_Sky, Olivierdem, PaludoX0, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Saintcode_, Sm4rty, SnowMan, StevenL, Tomio, Tomo, V_B, Waze, __141345__, ajtra, asutorufos, aysha, brgltd, bulej93, c3phas, ch0bu, d3e4, delfin454000, dharma09, djxploit, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, got_targ, ignacio, jag, karanctf, ladboy233, leosathya, lukris02, m_Rassska, malinariy, martin, natzuu, pashov, peanuts, peiw, pfapostol, prasantgupta52, robee, simon135, slowmoses, sryysryy, tnevler

Awards

35.348 USDC - $35.35

Labels

bug

G (Gas Optimization)

low quality report

sponsor acknowledged

External Links

Link to GitHub issue

AN ARRAY’S LENGTH SHOULD BE CACHED TO SAVE GAS IN FOR-LOOPS

Reading array length at each iteration of the loop consumes .more gas than necessary.Consider storing the array’s length in a variable before the for-loop. Below are the instances :

OPTIMISE IF STATEMENT

For uint, >0 is not required. Instead use the variable directly as shown below. In line https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L144, change to if (initialBalance) { Same in https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L471

++I/I++ SHOULD BE UNCHECKED{++I}/UNCHECKED{I++} WHEN IT IS NOT POSSIBLE FOR THEM TO OVERFLOW, AS IS THE CASE WHEN USED IN FOR AND WHILE LOOPS

NO NEED TO EXPLICITLY INITIALIZE VARIABLES WITH DEFAULT VALUES

If a variable is not set/initialized, it is assumed to have the default value (0 for uint, false for bool, address(0) for address…). Explicitly initializing it with its default value is an anti-pattern and wastes gas.

#0 - 0xble
2022-09-26T01:36:25Z

Unhelpful bot report

PartyDAO contest - B2's results

A protocol for buying, using, and selling NFTs as a group.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-10] QA Report - $82.34

Findings Information

Awards

Labels

External Links

Public function that could be declared external

Missing zero address validation

Unlocked Pragma

MULTIPLE UINT256 MAPPINGS CAN BE COMBINED INTO A SINGLE MAPPING OF AN UNIT256 TO A STRUCT, WHERE APPROPRIATE

Dependence on block.timestamp is risky as it can be manipulated by miners

APPROVE should be replaced with SAFEAPPROVE or SAFEINCREASEALLOWANCE()/SAFEDECREASEALLOWANCE()

Multiple return statements used

#0 - 0xble2022-09-26T01:37:06Z

#1 - HardlyDifficult2022-10-03T22:41:27Z

[G-54] Gas Report - $35.35

Findings Information

Awards

Labels

External Links

AN ARRAY’S LENGTH SHOULD BE CACHED TO SAVE GAS IN FOR-LOOPS

OPTIMISE IF STATEMENT

++I/I++ SHOULD BE UNCHECKED{++I}/UNCHECKED{I++} WHEN IT IS NOT POSSIBLE FOR THEM TO OVERFLOW, AS IS THE CASE WHEN USED IN FOR AND WHILE LOOPS

NO NEED TO EXPLICITLY INITIALIZE VARIABLES WITH DEFAULT VALUES

#0 - 0xble2022-09-26T01:36:25Z

#0 - 0xble
2022-09-26T01:37:06Z

#1 - HardlyDifficult
2022-10-03T22:41:27Z

#0 - 0xble
2022-09-26T01:36:25Z