Platform: Code4rena
Start Date: 04/05/2022
Pot Size: $50,000 DAI
Total HM: 24
Participants: 71
Period: 5 days
Judge: Justin Goro
Total Solo HM: 14
Id: 119
League: ETH
Rank: 15/71
Findings: 3
Award: $589.08
π Selected for report: 1
π Solo Findings: 0
π Selected for report: Picodes
Also found by: pedroais, unforgiven
475.0681 DAI - $475.07
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/MerkleVesting.sol#L115 https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/MerkleDropFactory.sol#L92
Contracts should clarify what is the intended behavior for Merkle trees with multiple leafs with the same address.
There is 2 possible behaviors:
MerkleVesting to give users the choice between 2 sets of vesting parameters and have something close to MerkleResistor.This behavior should be clarified in the comments at least, and made clear to merkle tree builders.
#0 - illuzen
2022-05-11T09:40:43Z
This is covered in a comment on MerkleResistor:49, but we should put it elsewhere for clarity.
#1 - illuzen
2022-06-03T02:38:56Z
π Selected for report: horsefacts
Also found by: 0x1f8b, 0xYamiDancho, 0xf15ers, 0xkatana, ACai, AlleyCat, Bruhhh, Dravee, Funen, GimelSec, Hawkeye, IllIllI, MaratCerby, PPrieditis, Picodes, Ruhum, TerrierLover, VAD37, berndartmueller, csanuragjain, defsec, delfin454000, eccentricexit, ellahi, fatherOfBlocks, gzeon, hansfriese, hickuphh3, hyh, ilan, joestakey, juicy, kebabsec, oyc_109, rajatbeladiya, reassor, rfa, robee, samruna, simon135, sorrynotsorry, throttle
74.9806 DAI - $74.98
For maximum compatibility, use safeTransferFrom as you donβt know if tokens returns boolean or use revert statements. Example:
Reference:
#0 - illuzen
2022-05-12T08:30:26Z
Duplicate #27
π Selected for report: IllIllI
Also found by: 0x1f8b, 0xNazgul, 0xYamiDancho, 0xf15ers, 0xkatana, ACai, CertoraInc, Dravee, Funen, GimelSec, Hawkeye, PPrieditis, Picodes, Ruhum, TerrierLover, Tomio, VAD37, Waze, csanuragjain, defsec, delfin454000, eccentricexit, ellahi, fatherOfBlocks, gzeon, hansfriese, horsefacts, ilan, joestakey, juicy, minhquanym, oyc_109, rajatbeladiya, reassor, rfa, robee, samruna, simon135, z3s
39.0273 DAI - $39.03
spentTokens variable is not used for accounting so could be removed and tracked on chain to save gas.
#0 - illuzen
2022-05-12T08:30:58Z
Valid
#1 - gititGoro
2022-06-05T00:16:45Z
The language "tracked on chain" seems to mismatch the abstraction level of tech at hand as we're working in a virtual machine environment with a high level language. But I assume the warden means "inferred from other variables".