Back to MaratCerby's contests

Forgotten Runes Warrior Guild contest - MaratCerby's results

16,000 Warrior NFTs sold in a phased Dutch Auction.

General Information

Platform: Code4rena

Start Date: 03/05/2022

Pot Size: $30,000 USDC

Total HM: 6

Participants: 93

Period: 3 days

Judge: gzeon

Id: 118

League: ETH

Forgotten Runes

Findings Distribution

Researcher Performance

Rank: 10/93

Findings: 3

Award: $1,162.64

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryForgotten Runes

Findings Information

🌟 Selected for report: VAD37

Also found by: AuditsAreUS, IllIllI, MaratCerby, rfa, sorrynotsorry

Labels

bug
duplicate
2 (Med Risk)
sponsor confirmed

Awards

1116.8018 USDC - $1,116.80

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L175

Vulnerability details

Impact

ERC20 standard allows transfer function of some contracts to return bool or return nothing. Using safeTransfer of SafeERC20.sol is recommended instead.

Proof of Concept

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/4a9cc8b4918ef3736229a5cc5a310bdc17bf759f/contracts/token/ERC20/utils/SafeERC20.sol

Tools Used

#0 - KenzoAgada

2022-06-06T05:30:44Z

Duplicate of #2.

#1 - gzeoneth

2022-06-18T17:03:38Z

Duplicate of #70

Findings Information

🌟 Selected for report: defsec

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0x52, 0xDjango, 0xf15ers, 0xkatana, 0xliumin, AuditsAreUS, BowTiedWardens, CertoraInc, Cr4ckM3, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, Picodes, Ruhum, TerrierLover, TrungOre, VAD37, WatchPug, berndartmueller, broccolirob, catchup, cccz, cryptphi, csanuragjain, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, hubble, hyh, ilan, joestakey, kebabsec, kenta, kenzo, leastwood, m9800, marximimus, minhquanym, oyc_109, p4st13r4, pauliax, pedroais, peritoflores, plotchy, rajatbeladiya, reassor, rfa, robee, rotcivegaf, samruna, shenwilly, shung, simon135, sorrynotsorry, sseefried, teddav, throttle, tintin, unforgiven, z3s

Awards

30.3871 USDC - $30.39

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Impact

uint256 is assigned to zero by default, additional reassignment to zero is unnecessary Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsGuild.sol#L24

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/control-structures.html#default-value

Tools Used

Recommended code:

uint256 public numMinted;

Impact

uint256 is assigned to zero by default, additional reassignment to zero is unnecessary Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L162

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/control-structures.html#default-value

Tools Used

Recommended code:

uint256 i;

Impact

uint256 is assigned to zero by default, additional reassignment to zero is unnecessary Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L220

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/control-structures.html#default-value

Tools Used

Recommended code:

uint256 i;

Impact

uint256 is assigned to zero by default, additional reassignment to zero is unnecessary Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L259

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/control-structures.html#default-value

Tools Used

Recommended code:

uint256 i;

Impact

Msg.sender will never equal to address(0). Require statement can be safely removed. Affected code: https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L174

Proof of Concept

Tools Used

Impact

string is assigned to '' by default, additional reassignment to '' is unnecessary Affected code: https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L36

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/control-structures.html#default-value

Tools Used

Recommended code:

string public METADATA_PROVENANCE_HASH;

Impact

Constant R is unused and can be safely removed Affected code: https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L32-L33

Proof of Concept

Tools Used

Impact

Possibility of loosing precision. It is recommended to have a single division. Affected code: https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L284-L285

Proof of Concept

Tools Used

Recommended code:

uint256 dropPerStep = ((startPrice - lowestPrice) * daDropInterval) / daPriceCurveLength;

Impact

Possibility of getting out of bounds in array daMinters. Affected code: https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L284-L285

Proof of Concept

Tools Used

Additional check is recommended:

require(daMinters.length > endIdx); // equal to daMinters.length >= (endIdx + 1) but using less gas

https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L355

Findings Information

🌟 Selected for report: BowTiedWardens

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xProf, 0xc0ffEE, 0xf15ers, 0xkatana, 0xliumin, ACai, AlleyCat, CertoraInc, Cityscape, Cr4ckM3, DavidGialdi, Dinddle, FSchmoede, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, MiloTruck, Picodes, RoiEvenHaim, Tadashi, TerrierLover, TrungOre, VAD37, WatchPug, antonttc, catchup, defsec, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, ilan, joestakey, kebabsec, kenta, kenzo, marximimus, minhquanym, noobie, oyc_109, p4st13r4, pauliax, rajatbeladiya, reassor, rfa, robee, rotcivegaf, saian, samruna, shenwilly, shung, simon135, slywaters, sorrynotsorry, throttle, unforgiven, z3s

Awards

15.4498 USDC - $15.45

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsGuild.sol#L100

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error AllWarriorsHaveBeenSummoned(); 
.. 
if(numMinted >= MAX_WARRIORS)
{
	revert AllWarriorsHaveBeenSummoned();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsGuild.sol#L101

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error NotAMinter(); 
.. 
if(_msgSender() != minter)
{
	revert NotAMinter();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L136

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error ActionSoldOut(); 
.. 
if(numSold >= maxDaSupply)
{
	revert ActionSoldOut();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L137

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error NotEnoughRemaining(); 
.. 
if(numSold + numWarriors > maxDaSupply)
{
	revert NotEnoughRemaining();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L138

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error AuctionNotStarted(); 
.. 
if(!daStarted())
{
	revert AuctionNotStarted();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L139

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error AuctionPhaseOver(); 
.. 
if(mintlistStarted())
{
	revert AuctionPhaseOver();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L177

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error SoldOut(); 
.. 
if(numSold >= maxForSale)
{
	revert SoldOut();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L178

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error MintlistPhaseNotStarted(); 
.. 
if(!mintlistStarted())
{
	revert MintlistPhaseNotStarted();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L179

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error EtherValueIncorrect(); 
.. 
if(msg.value != finalPrice)
{
	revert EtherValueIncorrect();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L182

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error AlreadyMinted(); 
.. 
if(mintlistMinted[msg.sender] != false)
{
	revert AlreadyMinted();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L207

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error SoldOut(); 
.. 
if(numSold >= maxForSale)
{
	revert SoldOut();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L208

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error NotEnoughRemaining(); 
.. 
if(numSold + numWarriors > maxForSale)
{
	revert NotEnoughRemaining();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L209

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error PublicSaleNotStarted(); 
.. 
if(!publicStarted())
{
	revert PublicSaleNotStarted();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L234

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error NoMoreClaims(); 
.. 
if(numClaimed >= maxForClaim)
{
	revert NoMoreClaims();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L235

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error ClaimPhaseNotStarted(); 
.. 
if(!claimsStarted())
{
	revert ClaimPhaseNotStarted();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L238

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error AlreadyClaimed(); 
.. 
if(claimlistMinted[msg.sender] != false)
{
	revert AlreadyClaimed();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L258

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error AddressRequired(); 
.. 
if(address(recipient) == address(0))
{
	revert AddressRequired();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L372

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error SelfRefundPeriodNotStarted(); 
.. 
if(!selfRefundsStarted())
{
	revert SelfRefundPeriodNotStarted();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L609

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error NoVault(); 
.. 
if(address(vault) == address(0))
{
	revert NoVault();
}

Impact

Recommending to upgrade solidity version to 0.8.4 which introduces new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code: https://github.com/code-423n4/2022-05-runes/tree/main/contracts/ForgottenRunesWarriorsMinter.sol#L617

Proof of Concept

https://blog.soliditylang.org/2021/04/21/custom-errors/

Tools Used

Recommended code:

error NoVault(); 
.. 
if(address(vault) == address(0))
{
	revert NoVault();
}

Impact

Instead of having 5 mappings it is better to use a struct type and a single mapping. It will significantly reduce gas usage while updating the storage. At least 5 x 5000 gas for each unique address. Affected code: https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L75-L88

Proof of Concept

Tools Used

Impact

Solidity 0.8.0 introduced SafeMath enabled by default for any math operation. To improve gas usage unchecked keyword is recommended in for cycle. It reduces 49 gas per each iteration in cycle. Affected code: https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L162-L164

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/080-breaking-changes.html#:~:text=Arithmetic%20operations

Tools Used

Saves 49 * numWarriors gas. Recommended code:

for (uint256 i = 0; i < numWarriors;) {
    _mint(msg.sender);
    unchecked {i++;}
}

Impact

Solidity 0.8.0 introduced SafeMath enabled by default for any math operation. To improve gas usage unchecked keyword is recommended in for cycle. It reduces 49 gas per each iteration in cycle. Affected code: https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L220-L222

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/080-breaking-changes.html#:~:text=Arithmetic%20operations

Tools Used

Saves 49 * numWarriors gas. Recommended code:

 for (uint256 i = 0; i < numWarriors;) {
    _mint(msg.sender);
    unchecked {i++;}
}

Impact

Solidity 0.8.0 introduced SafeMath enabled by default for any math operation. To improve gas usage unchecked keyword is recommended in for cycle. It reduces 49 gas per each iteration in cycle. Affected code: https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L259-L261

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/080-breaking-changes.html#:~:text=Arithmetic%20operations

Tools Used

Saves 49 * count gas. Recommended code:

for (uint256 i = 0; i < count;) {
    _mint(recipient);
    unchecked {i++;}
}

Impact

Solidity 0.8.0 introduced SafeMath enabled by default for any math operation. To improve gas usage unchecked keyword is recommended in for cycle. It reduces 49 gas per each iteration in cycle. Affected code: https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L355-L357

Proof of Concept

https://docs.soliditylang.org/en/v0.8.13/080-breaking-changes.html#:~:text=Arithmetic%20operations

Tools Used

Saves 49 * (endIdx + 1 - startIdx) gas. Recommended code:

for (uint256 i = startIdx; i < endIdx + 1;) {
    _refundAddress(daMinters[i]);
    unchecked {i++;}
}
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter