Trader Joe contest - Funen's results

One-stop-shop decentralized trading on Avalanche.

General Information

Platform: Code4rena

Start Date: 25/01/2022

Pot Size: $50,000 USDT

Total HM: 17

Participants: 39

Period: 3 days

Judge: LSDan

Total Solo HM: 9

Id: 79

League: ETH

Trader Joe

Findings Distribution

Researcher Performance

Rank: 20/39

Findings: 2

Award: $698.87

🌟 Selected for report: 2

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Trader Joe

Findings Information

🌟 Selected for report: hyh

Also found by: Funen, wuwe1

Labels

bug

duplicate

1 (Low Risk)

Awards

140.1231 USDT - $140.12

External Links

Link to GitHub issue

Handle

Funen

Vulnerability details

Impact

The user's that had been deploy the contract will got zero address

Proof of Concept

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeFactory.sol#L53-L61 This contract was using address to check that Addresses can't be zero address

E.g. : https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeStaking.sol this wasnt check that addresses not zero address

Tools Used

Manual Review

#0 - cryptofish7
2022-01-31T00:33:15Z

Duplicate of #266

Findings Information

🌟 Selected for report: Funen

Labels

bug

G (Gas Optimization)

sponsor acknowledged

Awards

39.7792 USDT - $39.78

External Links

Link to GitHub issue

Handle

Funen

Vulnerability details

Proof of Concept

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L48-L50 the Phase called from RJoeFactory.sol , so immutable can saving more gas

Tools Used

Manual Review

Recommended Mitigation Steps

uint256 public PHASE_ONE_DURATION ;  
uint256 public PHASE_ONE_NO_FEE_DURATION; 
uint256 public PHASE_TWO_DURATION;

changed into

uint256 public immutable PHASE_ONE_DURATION; 
uint256 public immutable PHASE_ONE_NO_FEE_DURATION; 
uint256 public immutable PHASE_TWO_DURATION;

Findings Information

🌟 Selected for report: Funen

Labels

bug

1 (Low Risk)

disagree with severity

Awards

518.9746 USDT - $518.97

External Links

Link to GitHub issue

Handle

Funen

Vulnerability details

RocketJoeStaking.sol in https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeStaking.sol#L24 comment was using -> // pending reward = (user.amount * accRJoePerShare) - user.rewardDebt

it should be used PRECISION to make it same actual calculation in the contract

and change to

pending reward = (user.amount * _accRJoePerShare) / PRECISION - user.rewardDebt

#0 - cryptofish7
2022-01-31T19:19:52Z

Should be 0 severity as it is a comment/styling fix.

Fix: https://github.com/traderjoe-xyz/rocket-joe/pull/129/files

#1 - dmvt
2022-02-23T12:18:09Z

1 — Low (L): vulns that have a risk of 1 are considered “Low” severity when assets are not at risk. Includes state handling, function incorrect as to spec, and issues with comments.

Severity is valid. This is an issue with a comment.

Trader Joe contest - Funen's results

One-stop-shop decentralized trading on Avalanche.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $659.09

Gas Report - $39.78

QA Report - $659.09

Gas Report - $39.78

[L-05] Missing Zero Addresss Check - $140.12

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

#0 - cryptofish72022-01-31T00:33:15Z

🚀 [G-32] Saving more gas by using `immutable phase` - $39.78

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Proof of Concept

Tools Used

Recommended Mitigation Steps

🚀 [L-20] Incorecct calculation between actual code and comment - $518.97

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

#0 - cryptofish72022-01-31T19:19:52Z

#1 - dmvt2022-02-23T12:18:09Z

#0 - cryptofish7
2022-01-31T00:33:15Z

#0 - cryptofish7
2022-01-31T19:19:52Z

#1 - dmvt
2022-02-23T12:18:09Z