Platform: Code4rena
Start Date: 13/12/2021
Pot Size: $75,000 USDC
Total HM: 11
Participants: 30
Period: 7 days
Judge: leastwood
Total Solo HM: 4
Id: 68
League: ETH
Rank: 9/30
Findings: 3
Award: $2,862.52
🌟 Selected for report: 2
🚀 Solo Findings: 0
1351.9814 USDC - $1,351.98
JMukesh
The return value of the low-level call is not checked, so if the call fails, the Ether will be locked in the contract. If the low level is used to prevent blocking operations, consider logging failed calls.
manual review
add condition to check return value
#0 - 0xleastwood
2022-01-18T10:56:50Z
Nice find! I think this could be marked as medium as it leaks value from the protocol but it doesn't result in assets being lost directly. It requires _INTERMEDIATE_TOKEN to point to a contract which fails upon wrapping the ETH amount.
#1 - 0xleastwood
2022-01-18T10:57:20Z
So considering that _INTERMEDIATE_TOKEN must be improperly set, I will mark this as medium.
394.2378 USDC - $394.24
JMukesh
transfer() does not check the return , due which transfer may get failed without reverting . some tokens does not revert on failure , they just return false
manual review
use safetransferFrom() from oz libraries
#0 - 0xleastwood
2022-01-22T04:08:59Z
Duplicate of #192
JMukesh
Use of transfer() might render ETH impossible to withdraw because after istanbul hardfork, there is an increase in the gas cost of the SLOAD operation and therefore breaks some existing smart contracts.Those contracts will break because their fallback functions used to consume less than 2300 gas, and they’ll now consume more, since 2300 the amount of gas a contract’s fallback function receives if it’s called via Solidity’s transfer() or send() methods. Any smart contract that uses transfer() or send() is taking a hard dependency on gas costs by forwarding a fixed amount of gas: 2300.
https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/ https://blog.openzeppelin.com/opyn-gamma-protocol-audit/
manual review
use call() instead of transfer()
#0 - loki-sama
2022-01-03T10:01:45Z
duplicate #175
🌟 Selected for report: sirhashalot
Also found by: GiveMeTestEther, JMukesh, Ruhum, WatchPug, defsec, robee
JMukesh
due to lack of check for the return value of approve() , function may silently fail
manual review
use safeApprove() from oz library
#0 - loki-sama
2021-12-30T13:24:26Z
duplicate #294
🌟 Selected for report: JMukesh
JMukesh
Initialize() , Initializes important contract state that can be called by anyone. Since it lacks an access modifier, an attacker can initialize the contract before the legitimate deployer. The attacker, hoping that the victim continues to use the same contract, can hijack the victims POAP. In the best case scenario, the target would notice this falsely deployed contract and redeploy their legitimate contract, but this costs them gas.
contracts which uses initialize(), they all lack access modifier
manual review
add access control or use constructor to initialize the non-proxy contracts