Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 120/125
Findings: 1
Award: $4.23
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RED-LOTUS-REACH
Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie
4.2289 USDC - $4.23
Events should be emitted when sensitive changes are made to the contracts, but some functions lack them.
The contract GaugeController.sol does not emit events for critical state change, when the gauge weight is changed, an event should be emitted. This will make it easier to track changes and debug issues.
Emit events for critical state changes.
Thera are expressions in smart contract GaugeController.sol that are tautologies. There are 2 instances of this issue.
File: src/GaugeController.sol
212: require(_user_weight >= 0 && _user_weight <= 10_000, "Invalid user weight");
https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/GaugeController.sol#L212
241: require(power_used >= 0 && power_used <= 10_000, "Used too much power");
https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/GaugeController.sol#L241
_user_weight and power_used are uint256, so _user_weight >= 0 and power_used >= 0 will be always true.
Fix the incorrect comparison by changing the value type or the comparison.
If a method does not have an external call then it is impossible to reenter, so you can skip this modifier in such methods. There are 3 instances of this issue in smart contract VotingEscrow.sol.
File: src/VotingEscrow.sol
268: function createLock(uint256 _value) external payable nonReentrant {
https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L268
288: function increaseAmount(uint256 _value) external payable nonReentrant {
https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L288
356: function delegate(address _addr) external nonReentrant {
https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L356
In smart contract VotingEscrow.sol in functions createLock, increaseAmount and delegate is used nonReentrant modifier. But these methods does not have an external call. The modifier would add unnecessary gas costs and code complexity without providing any additional security. So, it is unnecessary to use nonReentrant modifier.
#0 - c4-judge
2023-08-22T13:58:14Z
alcueca marked the issue as grade-b