XDEFI contest - Jujic's results

The fastest wallet in DeFi.

General Information

Platform: Code4rena

Start Date: 04/01/2022

Pot Size: $25,000 USDC

Total HM: 3

Participants: 40

Period: 3 days

Judge: Ivo Georgiev

Total Solo HM: 1

Id: 75

League: ETH

XDEFI

Findings Distribution

Researcher Performance

Rank: 23/40

Findings: 2

Award: $77.58

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository XDEFI

Findings Information

🌟 Selected for report: cccz

Also found by: Jujic, Tomio, WatchPug, agusduha, certora, hack3r-0m, jayjonah8, ye0lde

Labels

bug

duplicate

1 (Low Risk)

disagree with severity

sponsor acknowledged

Awards

37.3718 USDC - $37.37

External Links

Link to GitHub issue

Handle

Jujic

Vulnerability details

Impact

There are two input arrays, but no check for the same length.

Proof of Concept

https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L77-L85

function setLockPeriods(uint256[] memory durations_, uint8[] memory multipliers) external onlyOwner {
        uint256 count = durations_.length;

        for (uint256 i; i < count; ++i) {
            uint256 duration = durations_[i];
            require(duration <= uint256(18250 days), "INVALID_DURATION");
            emit LockPeriodSet(duration, bonusMultiplierOf[duration] = multipliers[i]);
        }
    }

Tools Used

Remix

Recommended Mitigation Steps

Check the length of both input arrays.

require(durations_.length == multipliers.length);

#0 - deluca-mike
2022-01-08T03:33:32Z

There is no transfer here, so maybe the title is wrong.

In any case, if there are more multipliers than durations, then the extra multipliers are ignored. If there are more durations than multipliers, then the function will revert anyway. Further, if the admin did make a mistake, they can just call the function again. This is no-risk.

#1 - deluca-mike
2022-01-09T10:58:44Z

Duplicate #38

Findings Information

🌟 Selected for report: Dravee

Also found by: 0xsanson, Jujic, WatchPug, ye0lde

Labels

bug

duplicate

G (Gas Optimization)

sponsor confirmed

Awards

13.1525 USDC - $13.15

External Links

Link to GitHub issue

Handle

Jujic

Vulnerability details

Impact

Using the unchecked keyword to avoid redundant arithmetic underflow/overflow checks to save gas when an underflow/overflow cannot happen.

Proof of Concept

https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L120

 require(lockAmount_ <= amountUnlocked_, "INSUFFICIENT_AMOUNT_UNLOCKED");

 uint256 withdrawAmount = amountUnlocked_ - lockAmount_;

Tools Used

Remix

Recommended Mitigation Steps

unchecked {
         uint256 withdrawAmount = amountUnlocked_ - lockAmount_;
 }

#0 - deluca-mike
2022-01-08T03:36:08Z

While we originally did not want to use unchecked math, even if we knew it saved gas, in order to have cleaner code, we will now use unchecked math everywhere possible.

#1 - deluca-mike
2022-01-09T10:57:44Z

Duplicate #49

Findings Information

🌟 Selected for report: defsec

Also found by: Dravee, Jujic

Labels

bug

duplicate

G (Gas Optimization)

sponsor acknowledged

Awards

27.0627 USDC - $27.06

External Links

Link to GitHub issue

Handle

Jujic

Vulnerability details

Impact

!= 0 is a cheaper operation compared to > 0, when dealing with uint.

Proof of Concept

https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L145

require(totalUnitsCached > uint256(0), "NO_UNIT_SUPPLY");

Tools Used

Remix

Recommended Mitigation Steps

#0 - deluca-mike
2022-01-08T03:37:05Z

This is not always true, but still valid point that it is worth testing and checking. In any case, requires will be converted into if-reverts with custom error messages to that will now become: if (totalUnitsCached == uint256(0)) revert NoUnitSupply();

#1 - deluca-mike
2022-01-09T10:57:25Z

Duplicate #88

XDEFI contest - Jujic's results

The fastest wallet in DeFi.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $37.37

Gas Report - $40.21

QA Report - $37.37

Gas Report - $40.21

[L-02] Multi Transfer arrays length check - $37.37

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - deluca-mike2022-01-08T03:33:32Z

#1 - deluca-mike2022-01-09T10:58:44Z

[G-02] Save Gas with the unchecked keyword - $13.15

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - deluca-mike2022-01-08T03:36:08Z

#1 - deluca-mike2022-01-09T10:57:44Z

[G-08] > 0 can be replaced with != 0 for gas optimisation - $27.06

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - deluca-mike2022-01-08T03:37:05Z

#1 - deluca-mike2022-01-09T10:57:25Z

#0 - deluca-mike
2022-01-08T03:33:32Z

#1 - deluca-mike
2022-01-09T10:58:44Z

#0 - deluca-mike
2022-01-08T03:36:08Z

#1 - deluca-mike
2022-01-09T10:57:44Z

#0 - deluca-mike
2022-01-08T03:37:05Z

#1 - deluca-mike
2022-01-09T10:57:25Z