Back to MadWookie's contests

Canto contest - MadWookie's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 14/06/2022

Pot Size: $100,000 USDC

Total HM: 26

Participants: 59

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 9

Id: 133

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 45/59

Findings: 2

Award: $287.34

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: joestakey

Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xf15ers, 0xmint, Bronicle, Dravee, Funen, JMukesh, Limbooo, MadWookie, Picodes, Ruhum, TerrierLover, TomJ, Tutturu, WatchPug, Waze, _Adam, asutorufos, c3phas, catchup, cccz, codexploder, cryptphi, csanuragjain, defsec, fatherOfBlocks, gzeon, hake, hansfriese, hyh, ignacio, k, nxrblsrpr, oyc_109, robee, sach1r0, saian, simon135, technicallyty, zzzitron

Awards

72.4555 USDC - $72.46

687.9945 CANTO - $111.11

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Low Risk

Missing check for address(0x0) when assigning values to address state variables

Especially import when assigning to admin as it could brick the contract if set to address(0x0)

1. File: TreasuryDelegator.sol#L21

	admin = admin_;

QA

Use of transfer

It is not recommended to use transfer as it will make contracts potentially unusable if the transfer gas cost is ever increased.
It is recommended to use call instead like so

(bool success, ) = payable(msg.sender).call.value(wad)("");

1. File: WETH.sol#L31

payable(msg.sender).transfer(wad);

Missing URL in comment

1. File: GovernorBravoInterfaces.sol#L31

    IProposal unigov; //Proposal Store object defined as primitive contract in Canto-Testnet <URL HERE>

#0 - GalloDaSballo

2022-08-02T20:52:30Z

Missing check for address(0x0) when assigning values to address state variables

L

Use of transfer

You can't say WETH, one of the most used contracts, has an unsafe transfer, and keep a straight face

Missing URL in comment

Disagree as this is the storage contract meant to list all the storage variables

Really low quality submission

1L

Findings Information

🌟 Selected for report: _Adam

Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xmint, Chom, Dravee, Fitraldys, Funen, JC, Limbooo, MadWookie, Picodes, Ruhum, TerrierLover, TomJ, Tomio, Waze, ak1, c3phas, catchup, defsec, fatherOfBlocks, gzeon, hake, hansfriese, joestakey, k, oyc_109, rfa, robee, sach1r0, saian, simon135, ynnad

Awards

39.6748 USDC - $39.67

396.9199 CANTO - $64.10

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Gas report

Initializing variables to default values wastes gas

The defalut value for uint is 0 and the default value for bool is false

1. File:GovernorBravoDelegate.sol#L57 

    newProposal.eta = 0;

2. File:GovernorBravoDelegate.sol#L62 

    newProposal.canceled = false;

Functions add256() and sub256() are not needed as solidity version 0.8.10 has built-in overflow/underflow checking.

These functions are wasting gas.

1. File:GovernorBravoDelegate.sol#L180-184 

    function add256(uint256 a, uint256 b) internal pure returns (uint) {
        uint c = a + b;
        require(c >= a, "addition overflow");
        return c;
    }

2. File:GovernorBravoDelegate.sol#L186-189 

    function sub256(uint256 a, uint256 b) internal pure returns (uint) {
        require(b <= a, "subtraction underflow");
        return a - b;
    }

#0 - GalloDaSballo

2022-08-04T00:33:04Z

6 gas on the defaults 20 gas on the checked

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter