FIAT DAO veFDT contest - Bahurum's results

Unlock liquidity for your DeFi fixed income assets.

General Information

Platform: Code4rena

Start Date: 12/08/2022

Pot Size: $35,000 USDC

Total HM: 10

Participants: 126

Period: 3 days

Judge: Justin Goro

Total Solo HM: 3

Id: 154

League: ETH

FIAT DAO

Findings Distribution

Researcher Performance

Rank: 92/126

Findings: 1

Award: $30.34

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository FIAT DAO

Findings Information

🌟 Selected for report: oyc_109

Also found by: 0x1f8b, 0x52, 0xDjango, 0xLovesleep, 0xNazgul, 0xNineDec, 0xbepresent, 0xmatt, 0xsolstars, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, DecorativePineapple, Deivitto, Dravee, ElKu, Funen, GalloDaSballo, IllIllI, JC, JohnSmith, Junnon, KIntern_NA, Lambda, LeoS, MiloTruck, Noah3o6, PaludoX0, RedOneN, Respx, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, Ruhum, Sm4rty, TomJ, Vexjon, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, auditor0517, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, cRat1st0s, cryptphi, csanuragjain, d3e4, defsec, delfin454000, djxploit, durianSausage, ellahi, erictee, exd0tpy, fatherOfBlocks, gogo, jonatascm, ladboy233, medikko, mics, natzuu, neumo, p_crypt0, paribus, pfapostol, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, sach1r0, saneryee, seyni, sikorico, simon135, sseefried, wagmi, wastewa

Awards

30.3441 USDC - $30.34

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

1. One step ownership transfer

In function transferOwnership owner is changed in a single step. Consider using a two step procedure to avoid the risk of losing contract ownership.

2. Critical consequences of `unlock()` function not explicitly stated

While the team confirmed that the unlock() function is intended to be used for migration, so it won't cause any issues, it would be better to state explicitly in natspec comment that it will break the escrow functionality and must only be used for migration.

3. Unused/redundant code:

Unused initial value of state variable decimals: State variable decimals is assigned in the constructor (L115).
If block at VotingEscrow.sol#L257-L259 is redundant since userPointHistory[_addr][uEpoch + 1] is always assigned afterwards at line 264.

4. Missing or incomplete natspec comments

In VotigEscrow.sol#L45-L66 public state variables lack naspec comment.
In external function updateBlocklist @param _addr is missing
In external function updatePenaltyRecipient @param _addr is missing
In external function forceUndelegate @param _addr is missing

5. Shadowed built in special variable `block`

In Blocklist.sol#L23 function block() shadows solidity built in special variable block.

FIAT DAO veFDT contest - Bahurum's results

Unlock liquidity for your DeFi fixed income assets.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-18] QA Report - $30.34

Findings Information

Awards

Labels

External Links

1. One step ownership transfer

2. Critical consequences of unlock() function not explicitly stated

3. Unused/redundant code:

4. Missing or incomplete natspec comments

5. Shadowed built in special variable block

2. Critical consequences of `unlock()` function not explicitly stated

5. Shadowed built in special variable `block`