Back to Franfran's contests

Holograph contest - Franfran's results

Omnichain protocol for deploying, minting, & bridging NFTs between blockchains.

General Information

Platform: Code4rena

Start Date: 18/10/2022

Pot Size: $75,000 USDC

Total HM: 27

Participants: 144

Period: 7 days

Judge: gzeon

Total Solo HM: 13

Id: 170

League: ETH

Holograph

Findings Distribution

Researcher Performance

Rank: 138/144

Findings: 2

Award: $0.00

QA:
grade-c
Gas:
grade-c

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryHolograph

Findings Information

🌟 Selected for report: Rolezn

Also found by: 0x1f8b, 0x52, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xhunter, 0xzh, 8olidity, Amithuddar, Aymen0909, B2, Bnke0x0, Chom, Deivitto, Diana, Diraco, Dravee, Franfran, JC, Jeiwan, Josiah, JrNet, Jujic, KingNFT, KoKo, Lambda, Margaret, Migue, Ocean_Sky, PaludoX0, Picodes, Rahoz, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Shinchan, Tagir2003, Trust, Waze, Yiko, __141345__, a12jmx, adriro, ajtra, arcoun, aysha, ballx, bin2chen, bobirichman, brgltd, bulej93, catchup, catwhiskeys, caventa, cccz, cdahlheimer, ch0bu, chaduke, chrisdior4, cloudjunky, cryptostellar5, cryptphi, csanuragjain, cylzxje, d3e4, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, hansfriese, i_got_hacked, ignacio, imare, karanctf, kv, leosathya, louhk, lukris02, lyncurion, m_Rassska, malinariy, martin, mcwildy, mics, minhtrng, nicobevi, oyc_109, pashov, peanuts, pedr02b2, peiw, rbserver, ret2basic, rotcivegaf, rvierdiiev, ryshaw, sakman, sakshamguruji, saneryee, securerodd, seyni, sikorico, svskaushik, teawaterwire, tnevler, w0Lfrum

Awards

0 USDC - $0.00

Labels

bug
QA (Quality Assurance)
responded
grade-c

External Links

Link to GitHub issue

Comments

Should update to @dev bytes32(uint256(keccak256('eip1967.Holograph.baseGas')) - 1) https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/module/LayerZeroModule.sol#L140

Should update to @dev bytes32(uint256(keccak256('eip1967.Holograph.gasPerByte')) - 1) https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/module/LayerZeroModule.sol#L146

Logic

Missing address(0) check for the signature recover. This is reported as Low finding because they are no heavy side effects: https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographFactory.sol#L220 https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographFactory.sol#L333-L334 As an address(0) return from ecrecover may mean that the recover failed.

Misc

Function that was let here for testing purposes. Not much issue because is has proper access control and the admin is initialized: https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L274-L294

This function can use the view keyword as it is not making any state change and is made to estimate gas usage that is mostly called off-chain in this context: https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L549

Findings Information

🌟 Selected for report: oyc_109

Also found by: 0x040, 0x1f8b, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xsam, 0xzh, 2997ms, Amithuddar, Aymen0909, B2, Bnke0x0, Deivitto, Diana, Dinesh11G, Franfran, JC, JrNet, Jujic, KingNFT, KoKo, Mathieu, Metatron, Mukund, Olivierdem, PaludoX0, Pheonix, Picodes, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Saintcode_, Satyam_Sharma, Shinchan, Tagir2003, Tomio, Waze, Yiko, __141345__, adriro, ajtra, aysha, ballx, beardofginger, bobirichman, brgltd, bulej93, catchup, catwhiskeys, cdahlheimer, ch0bu, chaduke, chrisdior4, cryptostellar5, cylzxje, d3e4, delfin454000, dharma09, djxploit, durianSausage, emrekocak, erictee, exolorkistis, fatherOfBlocks, gianganhnguyen, gogo, halden, hxzy, i_got_hacked, iepathos, karanctf, leosathya, lucacez, lukris02, lyncurion, m_Rassska, martin, mcwildy, mics, nicobevi, peanuts, peiw, rbserver, ret2basic, rotcivegaf, ryshaw, sakman, sakshamguruji, saneryee, sikorico, skyle, svskaushik, tnevler, vv7, w0Lfrum, zishansami

Awards

0 USDC - $0.00

Labels

bug
G (Gas Optimization)
sponsor confirmed
responded
grade-c

External Links

Link to GitHub issue

Useless code

receive is unnecessary if fallback function is defined and used for the same purpose. https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographBridge.sol#L574-L586 https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographFactory.sol#L340-L349 https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/module/LayerZeroModule.sol#L416-L425

Unchecked

This can be wrapped in unchecked block: https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L433

This can be stored in a variable and done in an unchecked block: https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L640 because it was already checked before: https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L595

There is no need to delete an array element before popping it: https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L1148-L1152 as explained in the docs: https://docs.soliditylang.org/en/v0.5.4/types.html#array-members Because pop implicitely deletes it already.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter