Neo Tokyo contest - Kresh's results

A staking contract for the crypto gaming illuminati.

General Information

Platform: Code4rena

Start Date: 08/03/2023

Pot Size: $60,500 USDC

Total HM: 2

Participants: 123

Period: 7 days

Judge: hansfriese

Id: 220

League: ETH

Neo Tokyo

Findings Distribution

Researcher Performance

Rank: 81/123

Findings: 1

Award: $29.67

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Neo Tokyo

Findings Information

🌟 Selected for report: 0xSmartContract

Also found by: 0x1f8b, 0x6980, 0xAgro, 0xSolus, 0xhacksmithh, 0xkazim, ABA, BPZ, BowTiedOriole, ChainReview, DadeKuma, DeFiHackLabs, Deathstore, DevABDee, Diana, Dravee, Dug, Englave, Go-Langer, Haipls, IceBear, Inspex, Jeiwan, Kek, Kresh, Madalad, MatricksDeCoder, MyFDsYours, RaymondFam, Rolezn, SAAJ, Sathish9098, Taloner, Udsen, Viktor_Cortess, atharvasama, ayden, brgltd, btk, carlitox477, catellatech, chaduke, codeislight, deadrxsezzz, descharre, erictee, fatherOfBlocks, favelanky, glcanvas, handsomegiraffe, jasonxiale, jekapi, joestakey, lemonr, luxartvinsec, martin, matrix_0wl, minhquanym, mrpathfindr, nadin, oyc_109, parsely, peanuts, pfedprog, rbserver, rokso, saian, santipu_, scokaf, slvDev, tsvetanovv, ubl4nk, ulqiorra, yamapyblack, zaskoh

Awards

29.6697 USDC - $29.67

Labels

bug

grade-b

QA (Quality Assurance)

Q-03

External Links

Link to GitHub issue

Out of gas because of `getPoolReward`

Description

Because of getPoolReward function's strcture, it is possible for stake to get an "out of gas" error (for every new stake by user it needs about 13k more gas). withdraw and claimReward functions spend less gas, so the full lock of the NFT is impossible (only partial because of high gas fee).

Recomendation

That is architecture's disadvantage

Valid useless parameter

Description

For stake there is an invalid check for assetType, it accepts 4, however it will revert later on dynamic function calling (line https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1205) For withdraw is also accepts 4, and still will revert later (line https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1668)

Recomendation

Replace > 4 with > 3

Improper variable name

Description

getCreditYield function has an improper variable name _vaultId (line https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L627)

Recomendation

Replace it with _citizenVaultId

#0 - c4-judge
2023-03-17T02:35:26Z

hansfriese marked the issue as grade-c

#1 - hansfriese
2023-04-04T09:13:02Z

Upgrade to grade-b as it contains 2 low-risk findings.

#2 - c4-judge
2023-04-04T09:13:09Z

hansfriese marked the issue as grade-b

Neo Tokyo contest - Kresh's results

A staking contract for the crypto gaming illuminati.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-03] QA Report - $29.67

Findings Information

Awards

Labels

External Links

Out of gas because of getPoolReward

Description

Recomendation

Valid useless parameter

Description

Recomendation

Improper variable name

Description

Recomendation

#0 - c4-judge2023-03-17T02:35:26Z

#1 - hansfriese2023-04-04T09:13:02Z

#2 - c4-judge2023-04-04T09:13:09Z

Out of gas because of `getPoolReward`

#0 - c4-judge
2023-03-17T02:35:26Z

#1 - hansfriese
2023-04-04T09:13:02Z

#2 - c4-judge
2023-04-04T09:13:09Z