Back to JLevick's contests

VTVL contest - JLevick's results

Building no-code token management tools to empower web3 founders and investors, starting with token vesting.

General Information

Platform: Code4rena

Start Date: 20/09/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 198

Period: 3 days

Judge: 0xean

Total Solo HM: 2

Id: 164

League: ETH

VTVL

Findings Distribution

Researcher Performance

Rank: 50/198

Findings: 4

Award: $73.91

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryVTVL

Findings Information

🌟 Selected for report: Czar102

Also found by: 0xDecorativePineapple, 0xNazgul, 0xSky, 0xbepresent, 0xmatt, Atarpara, Bahurum, DimitarDimitrov, Franfran, GimelSec, JGcarv, JLevick, Junnon, OptimismSec, Rolezn, Ruhum, Soosh, Tomo, Trust, __141345__, adriro, ajtra, bin2chen, cRat1st0s, cccz, cryptonue, d3e4, innertia, jag, joestakey, neumo, obront, pashov, pauliax, pcarranzav, peanuts, rajatbeladiya, rbserver, reassor, seyni, wagmi, zzykxx, zzzitron

Awards

0.7375 USDC - $0.74

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-vtvl/blob/f68b7f3e61dad0d873b5b5a1e8126b839afeab5f/contracts/token/VariableSupplyERC20Token.sol#L19 https://github.com/code-423n4/2022-09-vtvl/blob/f68b7f3e61dad0d873b5b5a1e8126b839afeab5f/contracts/token/VariableSupplyERC20Token.sol#L36-L46

Vulnerability details

Impact

Comment on line 19 suggests that contract wont allow minting over maxSupply (unless specified with maxSupply = 0) however the check in mint() doesn't prevent this and an unlimited number of tokens can be minted even if mintableSupply isn't initially set to 0.

Proof of Concept

  1. Contract is deployed with maxSupply = 100 & initialSupply = 0
  2. Admin mints 100 tokens
  3. mintableSupply will now equal 0 and any future calls will bypass the if statement allowing the admin to mint as many tokens as they like.

Add another variable in the constructor:

unlimitedSupply = maxSupply == 0 ? true : false;

And change mint() to:

function mint(address account, uint256 amount) public onlyAdmin {
	require(account != address(0), "INVALID_ADDRESS");
	if(mintableSupply > 0) { 
		require(amount <= mintableSupply, "INVALID_AMOUNT");
		mintableSupply -= amount;
		_mint(account, amount);
	} else if (unlimitedSupply) {
		_mint(account, amount);
	}
}

#0 - 0xean

2022-09-24T00:15:47Z

dupe of #3

Findings Information

🌟 Selected for report: rajatbeladiya

Also found by: 0x4non, CertoraInc, Chom, JLevick, JohnSmith, KIntern_NA, Ruhum, RustyRabbit, ak1, berndartmueller, imare, joestakey, obront, rbserver, rotcivegaf, supernova

Awards

32.8268 USDC - $32.83

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-vtvl/blob/f68b7f3e61dad0d873b5b5a1e8126b839afeab5f/contracts/VTVLVesting.sol#L253 https://github.com/code-423n4/2022-09-vtvl/blob/f68b7f3e61dad0d873b5b5a1e8126b839afeab5f/contracts/VTVLVesting.sol#L129 https://github.com/code-423n4/2022-09-vtvl/blob/f68b7f3e61dad0d873b5b5a1e8126b839afeab5f/contracts/VTVLVesting.sol#L418-L437

Vulnerability details

Description

If a user has their claim revoked & then the admin wants to recreate a new claim for them it will fail. This is due to the hasNoClaim() modifier on _createClaimUnchecked() as _claim.startTimestamp != 0.

Proof of Concept

  1. Bob creates a claim for Dave
  2. Bob is unhappy with Dave for whatever reason and revokes the claim.
  3. A couple of different scenarios could be either Dave successfully disputes this and Bob wants to reinstate the claim, or sometime in the future Bob just wants to start an entirely new claim for Dave. Both involve Bob trying to create a new claim for Dave and it failing.

In revokeClaim() add the line:

_claim.startTimestamp = 0;

#0 - 0xean

2022-09-24T19:04:38Z

dupe of #140

Findings Information

🌟 Selected for report: AkshaySrivastav

Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xA5DF, 0xDecorativePineapple, 0xNazgul, 0xSky, 0xSmartContract, 0xbepresent, 0xf15ers, 0xmatt, 2997ms, Aeros, Aymen0909, B2, Bahurum, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, Diraco, Dravee, ElKu, Funen, IllIllI, JC, JLevick, JohnSmith, JohnnyTime, KIntern_NA, Lambda, Margaret, MasterCookie, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, SooYa, StevenL, TomJ, Tomo, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, async, ayeslick, aysha, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, cccz, ch13fd357r0y3r, chatch, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dic0de, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, gogo, got_targ, hansfriese, ignacio, ikbkln, indijanc, innertia, joestakey, karanctf, ladboy233, leosathya, lukris02, martin, medikko, millersplanet, nalus, natzuu, neko_nyaa, neumo, obront, oyc_109, pcarranzav, peanuts, pedr02b2, pedroais, peiw, peritoflores, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, rokinot, romand, rotcivegaf, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, sorrynotsorry, supernova, tibthecat, tnevler, ubermensch, yongskiws, zzykxx, zzzitron

Awards

18.8655 USDC - $18.87

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Low

  1. There is a comment on line 203 suggesting that the function finalVestedAmount() is unneccessary and may be removed, to prevent revokeClaim() from reverting if this happens I recommend updating line 422 to:
uint112 finalVestAmt = vestedAmount(_recipient, _claim.endTimestamp);

VTVLVesting.sol#L203 VTVLVesting.sol#L422

  1. Recommend locking pragma to the version used in testing. VariableSupplyERC20Token.sol#L2

Non Critical

  1. Recommend removing open todos before deployment. VTVLVesting.sol#L266

  2. Natspec is incomplete in the following places. VTVLVesting.sol#L416 - add @param _recipient

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xDanielC, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 0xsam, 2997ms, AkshaySrivastav, Amithuddar, Atarpara, Aymen0909, B2, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, Diraco, Funen, JC, JLevick, JohnSmith, Junnon, KIntern_NA, Lambda, MasterCookie, Matin, Noah3o6, Ocean_Sky, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, Saintcode_, Satyam_Sharma, Sm4rty, SnowMan, SooYa, Sta1400, StevenL, Tadashi, Tagir2003, TomJ, Tomio, Tomo, V_B, Waze, WilliamAmbrozic, Yiko, __141345__, a12jmx, adriro, ajtra, ak1, async, aysha, beardofginger, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, caventa, ch0bu, cryptostellar5, cryptphi, csanuragjain, d3e4, delfin454000, dharma09, djxploit, durianSausage, eighty, emrekocak, erictee, exd0tpy, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, got_targ, hxzy, ignacio, ikbkln, imare, indijanc, jag, jpserrat, karanctf, ladboy233, leosathya, lucacez, lukris02, m9800, malinariy, martin, medikko, mics, millersplanet, mrpathfindr, nalus, natzuu, neko_nyaa, oyc_109, pauliax, peanuts, pedroais, peiw, pfapostol, prasantgupta52, rbserver, ret2basic, rokinot, rotcivegaf, rvierdiiev, sach1r0, samruna, seyni, slowmoses, subtle77, supernova, tgolding55, tibthecat, tnevler, w0Lfrum, yaemsobak, zishansami

Awards

21.4681 USDC - $21.47

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Gas Report

  1. Comment states finalVestedAmount() is superfluous, deployment gas can be saved by removing it and updating line 422 to:
uint112 finalVestAmt = vestedAmount(_recipient, _claim.endTimestamp);

VTVLVesting.sol#L201-L209 VTVLVesting.sol#L422

VTVLVestingPre ChangesPost ChangesSavings
Deployment3,740,7393,621,851118,888
  1. It is unneccessary to assign state variables to their default value

VTVLVesting.sol#L27 - can update to:

uint112 public numTokensReservedForVesting;
VTVLVestingPre ChangesPost ChangesSavings
Deployment3,740,7393,737,6323,107
  1. Using x = x +/- y is cheaper than x +/-= y for state variables

VTVLVesting.sol#L383 VTVLVesting.sol#L433 VTVLVesting.sol#L301 VTVLVesting.sol#L381

VTVLVestingPre ChangesPost ChangesSavings
Deployment3,740,7393,740,295444
createClaim167,757167,7525
createClaimsBatch284,486284,46224
withdraw72,93872,92810
  1. Custom errors are cheaper than require statements.
VTVLVestingPre ChangesPost ChangesSavings
Deployment3,740,7393,738,7711,968

Gas savings above are from updating 1 require statement to a custom error, there are 24 require statements throughout the VTVL contracts, so updating them all will give gas savings of ~48,000. FullPremintERC20Token.sol#L11 AccessProtected.sol#L25 AccessProtected.sol#L40 VariableSupplyERC20Token.sol#L27 VariableSupplyERC20Token.sol#L37 VariableSupplyERC20Token.sol#L41 VTVLVesting.sol#L82 VTVLVesting.sol#L107 VTVLVesting.sol#L111 VTVLVesting.sol#L129 VTVLVesting.sol#L255-L257 VTVLVesting.sol#L262-L264 VTVLVesting.sol#L270-L278 VTVLVesting.sol#L295 VTVLVesting.sol#L344-L351 VTVLVesting.sol#L374 VTVLVesting.sol#L402 VTVLVesting.sol#L426 VTVLVesting.sol#L447-L449

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter