Platform: Code4rena
Start Date: 08/06/2022
Pot Size: $115,000 USDC
Total HM: 26
Participants: 72
Period: 11 days
Judge: leastwood
Total Solo HM: 14
Id: 132
League: ETH
Rank: 23/72
Findings: 3
Award: $482.61
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GimelSec
Also found by: Czar102, Lambda, csanuragjain, minhquanym, shenwilly
In LibDiamond.sol#L88, acceptanceTimes of a _diamondCut is set to 0.
Then, in #L101, it is checked that this value is smaller than block.timestamp. While this check works when the diamond is in the proposal period, it will always succeed for a rescinded diamond cut (with acceptance time 0), meaning the acceptance period can be trivially circumvented.
Set acceptanceTimes to type(uint256).max when rescinding.
#0 - LayneHaber
2022-06-24T16:34:13Z
Duplicate of #98
#1 - 0xleastwood
2022-08-15T07:58:36Z
Duplicate of #215.
🌟 Selected for report: BowTiedWardens
Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Chom, ElKu, Funen, IllIllI, JMukesh, Jujic, Kaiziron, Lambda, MiloTruck, Ruhum, SmartSek, SooYa, TerrierLover, TomJ, WatchPug, Waze, _Adam, asutorufos, auditor0517, bardamu, c3phas, catchup, cccz, ch13fd357r0y3r, cloudjunky, cmichel, cryptphi, csanuragjain, defsec, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, k, kenta, obtarian, oyc_109, robee, sach1r0, shenwilly, simon135, slywaters, sorrynotsorry, tintin, unforgiven, xiaoming90, zzzitron
142.2658 USDC - $142.27
In RoutersFacet.sol#L434, it is checked if the proposal period has passed. However, it is possible for the owner to set a new owner without waiting for the delay. When proposedRouterTimestamp and proposedRouterOwners are 0 for a given router (i.e., uninitialized), the owner can call acceptProposedRouterOwner (because onlyProposedRouterOwner accepts calls by the owner in such a scenario) and immediately set the owner to 0.
Check proposedRouterTimestamp is 0.
#0 - jakekidd
2022-06-25T02:19:44Z
onlyProposedRouterOwner can call this method, so unless you are the owner or somehow control address(0), it will revert.#1 - 0xleastwood
2022-08-15T00:20:46Z
Agree with sponsor. Routers are able to renounce ownership instantly, but this doesn't impact protocol availability nor lock funds or leak value. The router is still able to withdraw to their chosen recipient address as per usual. Downgrading to QA.
#2 - 0xleastwood
2022-08-15T00:21:09Z
Merging with #43.
#3 - 0xleastwood
2022-08-16T21:21:00Z
Converting to QA report because #43 is invalid.
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xmint, BowTiedWardens, ElKu, Fitraldys, Funen, Kaiziron, Lambda, Metatron, MiloTruck, Randyyy, Ruhum, SmartSek, TomJ, Tomio, UnusualTurtle, Waze, _Adam, apostle0x01, asutorufos, c3phas, catchup, csanuragjain, defsec, fatherOfBlocks, hansfriese, hyh, ignacio, joestakey, k, kaden, nahnah, oyc_109, rfa, robee, sach1r0, simon135, slywaters
84.6501 USDC - $84.65
In the following places, gas can be saved by caching the length of the array:
In the following places, gas can be saved by marking the addition in the loop as unchecked:
In the following places, both optimizations (caching of length & unchecked) can be applied:
SafeMath is used in a few places unnecessarily (not needed for Solidity v0.8):
Other gas optimizations: