Platform: Code4rena
Start Date: 30/11/2021
Pot Size: $100,000 USDC
Total HM: 15
Participants: 36
Period: 7 days
Judge: 0xean
Total Solo HM: 4
Id: 62
League: ETH
Rank: 7/36
Findings: 3
Award: $4,591.26
π Selected for report: 1
π Solo Findings: 0
π Selected for report: toastedsteaksandwich
Also found by: Meta0xNull, Omik, ScopeLift, bitbopper, gzeon, pedroais, wuwe1
Meta0xNull
* This is a potentially dangerous function so to ensure trustlessness, *all* balances * that may matter are guaranteed to not change.
There are Pre and Post Token Check for Deposit Token and Reward Token. But there is no check for Incentives Tokens which mean the number of Incentive Tokens May Go Lower after the arbitrary Call.
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L728-L749
Manual Review
// external incentives to stream creator mapping (address => uint112) public incentives;
The Incentive Token Address and Amounts was stored in incentives. Thus, Just need to do a loop to compare Amounts in incentives Vs Token Balance in Contract Address at The End of arbitraryCall().
#0 - brockelmore
2021-12-06T16:46:03Z
This one doesnt provide the exploit mechanism like in #107 so I am inclined to not have this be part of that because this isn't actually a helpful issue for identifying or fixing the real issue.
#1 - 0xean
2022-01-16T01:08:18Z
dupe of #199
π Selected for report: cyberboy
Also found by: Meta0xNull
3626.1684 USDC - $3,626.17
Meta0xNull
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L26-L30 https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L33-L38 https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L45-L49
Manual Review
In acceptGov(), Set pendingGov to Zero Address Once Transfer Gov.
address old = gov; gov = pendingGov; pendingGov = address(0);
#0 - brockelmore
2021-12-03T21:48:45Z
If there is a pendingGov you are correct, but since all of those functions are controlled by governance, it is trivial to reset pendingGov to 0 prior to abdicating, but it should be done in a single transaction.
#1 - 0xean
2022-01-15T01:55:21Z
dupe of #132
π Selected for report: Meta0xNull
217.5701 USDC - $217.57
Meta0xNull
Open TODOs can hint at programming or architectural errors that still need to be fixed.
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L817
Manual Review
Fix TODOs List and Remove it.
#0 - 0xean
2022-01-16T01:07:24Z
C4 docs says that issues with comments are Low
1 β Low: Low: Assets are not at risk. State handling, function incorrect as to spec, issues with comments.
Leaving as Low risk
π Selected for report: hyh
Also found by: 0x1f8b, Meta0xNull
Meta0xNull
A wrong user input or wallets defaulting to the zero addresses for a missing input can lead to the contract needing to redeploy or wasted gas.
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L17-L19
Manual Review
requires Addresses is not zero.
require(_governor != address(0), "Address Can't Be Zero") require(_emergency_governor != address(0), "Address Can't Be Zero")
#0 - 0xean
2022-01-16T14:17:21Z
dupe of #68
π Selected for report: gpersoon
Also found by: GiveMeTestEther, Meta0xNull, bitbopper, hack3r-0m, pauliax, pedroais, wuwe1
Meta0xNull
<code>modifier updateStream(address who) </code>
<code>function updateStreamInternal(address who) internal {</code> The Input Parameter address who at above does not used in Function.
<code>TokenStream storage ts = tokensNotYetStreamed[msg.sender]</code> At Line 205: The Function use msg.sender directly rather than input parameter address who.
Remove Unused Input Parameter Can Save Some Gas.
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L196-L205
Manual Review
modifier updateStream { // save bytecode space by making it a jump instead of inlining at cost of gas updateStreamInternal(); _; } function updateStreamInternal() internal { require(block.timestamp < endStream , "!stream"); TokenStream storage ts = tokensNotYetStreamed[msg.sender];
#0 - 0xean
2022-01-17T12:02:08Z
dupe of #43