Back to Randyyy's contests

Behodler contest - Randyyy's results

Ethereum liquidity protocol powered by token bonding curves.

General Information

Platform: Code4rena

Start Date: 27/01/2022

Pot Size: $90,000 USDC

Total HM: 21

Participants: 33

Period: 7 days

Judge: Jack the Pug

Total Solo HM: 14

Id: 78

League: ETH

Behodler

Findings Distribution

Researcher Performance

Rank: 16/33

Findings: 2

Award: $1,100.85

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBehodler

Findings Information

🌟 Selected for report: CertoraInc

Also found by: Randyyy

Labels

bug
duplicate
2 (Med Risk)

Awards

894.5368 USDC - $894.54

External Links

Link to GitHub issue

Handle

Randyyy

Vulnerability details

Impact

A user can stake their token by calling stake function, by supplying a token, however staking 0 amount token is allowed, staking 0 amount will reset the reward debt, without minting a single flan token, the function will treat as if the user do the staking for the first time, and didn't get any reward.

Proof of Concept

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/Limbo.sol#L451

#0 - gititGoro

2022-02-10T03:59:29Z

duplicate of issue 146

#1 - jack-the-pug

2022-02-27T08:12:06Z

Dup #146

Findings Information

🌟 Selected for report: robee

Also found by: BouSalman, CertoraInc, Dravee, Jujic, Randyyy, gzeon, pauliax, throttle

Labels

bug
duplicate
G (Gas Optimization)

Awards

8.369 USDC - $8.37

External Links

Link to GitHub issue

Handle

Randyyy

Vulnerability details

Impact

By saving array length to variable the loop does not have to get the array length value each loop and can save gas

Proof of Concept

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L212 https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L217

uint counter = sushiLPs.length
for (uint256 i = 0; i < counter; i++) {
      require(UniPairLike(sushiLPs[i]).factory() == sushiFactory, "LimboDAO: invalid Sushi LP");
      if (IERC20(eye).balanceOf(sushiLPs[i]) > 1000) assetApproved[sushiLPs[i]] = true;
      fateGrowthStrategy[sushiLPs[i]] = FateGrowthStrategy.indirectTwoRootEye;
    }

#0 - gititGoro

2022-02-08T22:16:13Z

Duplicate of issue 12

Findings Information

🌟 Selected for report: robee

Also found by: Randyyy, Tomio, rfa, sirhashalot

Labels

bug
duplicate
G (Gas Optimization)
sponsor acknowledged

Awards

22.9602 USDC - $22.96

External Links

Link to GitHub issue

Handle

Randyyy

Vulnerability details

Impact

Since this function does not change sushiLPs and uniLPs parameter its cheaper to use calldata instead memory

Proof of Concept

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L204 https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L205

Tools Used

Remix

Change memory to call data

#0 - jack-the-pug

2022-02-27T13:10:39Z

Dup #22

Findings Information

🌟 Selected for report: Randyyy

Labels

bug
G (Gas Optimization)
resolved
sponsor disputed

Awards

174.9751 USDC - $174.98

External Links

Link to GitHub issue

Handle

Randyyy

Vulnerability details

Impact

Save gas, because Using type(uint).max is cheaper than using calculation 2**256 - 1.

Proof of Concept

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/FlanBackstop.sol#L36

##Navigation

constructor(
    address dao,
    address flan,
    address pyroFlan
  ) Governable(dao) {
    config.pyroFlan = pyroFlan;
    config.flan = flan;
    IERC20(flan).approve(pyroFlan, type(uint).max);
  }

#0 - gititGoro

2022-07-04T14:43:08Z

https://github.com/Behodler/limbo/pull/33

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter