Platform: Code4rena
Start Date: 18/05/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 72
Period: 4 days
Judge: LSDan
Id: 237
League: ETH
Rank: 39/72
Findings: 1
Award: $16.19
š Selected for report: 0
š Solo Findings: 0
š Selected for report: ABA
Also found by: 0x4non, 0xHati, 0xMosh, 0xSmartContract, 0xWaitress, 0xhacksmithh, 0xnev, 0xprinc, Arabadzhiev, BLACK-PANDA-REACH, Deekshith99, Dimagu, KKat7531, Kose, LosPollosHermanos, MohammedRizwan, QiuhaoLi, RaymondFam, Rickard, Rolezn, SAAJ, Sathish9098, Shubham, SmartGooofy, Tripathi, Udsen, V1235816, adriro, arpit, ayden, bigtone, codeVolcan, d3e4, dwward3n, fatherOfBlocks, favelanky, jovemjeune, kutugu, lfzkoala, lukris02, matrix_0wl, minhquanym, ni8mare, parsely, pxng0lin, radev_sw, ravikiranweb3, rbserver, sces60107, souilos, tnevler, turvy_fuzz, yellowBirdy
16.1907 USDC - $16.19
| Number | Issue | Instances | |
|---|---|---|---|
| [Lā01] | For immutable variables, Zero address checks are missing in constructor | 4 |
| Number | Issue | Instances | |
|---|---|---|---|
| [Nā01] | Use latest version of PRBMath library | 1 | |
| [Nā02] | Use a more recent version of Solidity | 1 |
Zero address check validations should be used in the constructors, to avoid the risk of setting a immutable storage variable as zero address at the time of deployment. If bymistake, address(0) is set it will cause redeployment of contract.
There are 4 instances of this issue:
File: juice-buyback/contracts/JBXBuybackDelegate.sol 118 constructor( 119 IERC20 _projectToken, 120 IWETH9 _weth, 121 IUniswapV3Pool _pool, 122 IJBPayoutRedemptionPaymentTerminal3_1 _jbxTerminal 123 ) { 124 projectToken = _projectToken; 125 pool = _pool; 126 jbxTerminal = _jbxTerminal; 127 _projectTokenIsZero = address(_projectToken) < address(_weth); 128 weth = _weth; 129 }
Add address(0) validation check in constructor.
File: juice-buyback/contracts/JBXBuybackDelegate.sol constructor( IERC20 _projectToken, IWETH9 _weth, IUniswapV3Pool _pool, IJBPayoutRedemptionPaymentTerminal3_1 _jbxTerminal ) { + require(address(_projectToken) != address(0), "invalid address"); + require(address(_weth) != address(0), "invalid address"); + require(address(_pool) != address(0), "invalid address"); + require(address(_jbxTerminal) != address(0), "invalid address"); projectToken = _projectToken; pool = _pool; jbxTerminal = _jbxTerminal; _projectTokenIsZero = address(_projectToken) < address(_weth); weth = _weth; }
The contract uses old version of PRBMath library 3.7.0. The latest version v4.0.0 has lots of fixes and some breaking changes. It is recommended to use latest version of PRBMath library.
Link to latest release features
There is 1 instance of this issue.
File: /juice-buyback/package.json "@paulrberg/contracts": "^3.7.0",
For security and optimization, it is best practice to use the latest Solidity version. For the security fix list in the versions: Link to reference
There is 1 instance of this issue.
File: juice-buyback/contracts/JBXBuybackDelegate.sol pragma solidity ^0.8.16;
#0 - c4-judge
2023-06-02T11:01:37Z
dmvt marked the issue as grade-b