Back to RedOneN's contests

FIAT DAO veFDT contest - RedOneN's results

Unlock liquidity for your DeFi fixed income assets.

General Information

Platform: Code4rena

Start Date: 12/08/2022

Pot Size: $35,000 USDC

Total HM: 10

Participants: 126

Period: 3 days

Judge: Justin Goro

Total Solo HM: 3

Id: 154

League: ETH

FIAT DAO

Findings Distribution

Researcher Performance

Rank: 61/126

Findings: 2

Award: $45.04

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFIAT DAO

Findings Information

🌟 Selected for report: oyc_109

Also found by: 0x1f8b, 0x52, 0xDjango, 0xLovesleep, 0xNazgul, 0xNineDec, 0xbepresent, 0xmatt, 0xsolstars, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, DecorativePineapple, Deivitto, Dravee, ElKu, Funen, GalloDaSballo, IllIllI, JC, JohnSmith, Junnon, KIntern_NA, Lambda, LeoS, MiloTruck, Noah3o6, PaludoX0, RedOneN, Respx, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, Ruhum, Sm4rty, TomJ, Vexjon, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, auditor0517, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, cRat1st0s, cryptphi, csanuragjain, d3e4, defsec, delfin454000, djxploit, durianSausage, ellahi, erictee, exd0tpy, fatherOfBlocks, gogo, jonatascm, ladboy233, medikko, mics, natzuu, neumo, p_crypt0, paribus, pfapostol, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, sach1r0, saneryee, seyni, sikorico, simon135, sseefried, wagmi, wastewa

Awards

30.066 USDC - $30.07

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

[L-01] - Missing checks for ADDRESS(0X0) when assigning values to ADDRESS state variables

File : VotingEscrow.sol VotingEscrow.sol#L120 VotingEscrow.sol#L121 VotingEscrow.sol#L141 VotingEscrow.sol#L148 VotingEscrow.sol#L155

[L-02] - Consider using msg.sender for declaring ownership in the constructor.

The constructor takes as input the owner’s address. As a result, in case of wrong declared address, there is a risk that the ownership is lost at the contract creation. If possible, consider using msg.sender to declare the owner.

File : VotingEscrow.sol VotingEscrow.sol#L101

[N-01] - Consider the use of constants instead of « magic numbers »

File : VotingEscrow.sol VotingEscrow.sol#L116 VotingEscrow.sol#L298 VotingEscrow.sol#L309

[N-02] - Consider TWO-PHASE ownership transfer

The current owner calls transferOwnership() and decide to transfer the ownership directly to any desired address. As a result, there is a risk that the ownership is transferred to an invalid address causing the contract to be without owner.

File : VotingEscrow.sol VotingEscrow.sol#L139

[N-03] - Consider using a more recent version of solidity

Use a solidity version of at least 0.8.4 to get custom errors, which are cheaper at deployment than revert()/require() strings Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value

[N-04] - Use scientific notation (eg. 1E18) rather than exponentiation (eg. 10**18)

File : VotingEscrow.sol VotingEscrow.sol#L48 VotingEscrow.sol#L51 VotingEscrow.sol#L675

[N-05] - Use scientific notation (eg. 1E18) rather than the full expanded number.

File : VotingEscrow.sol VotingEscrow.sol#L57 VotingEscrow.sol#L58

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x040, 0x1f8b, 0xDjango, 0xHarry, 0xLovesleep, 0xNazgul, 0xNineDec, 0xSmartContract, 0xackermann, 0xbepresent, 2997ms, Amithuddar, Aymen0909, Bnke0x0, CRYP70, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Fitraldys, Funen, GalloDaSballo, JC, JohnSmith, Junnon, LeoS, Metatron, MiloTruck, Noah3o6, NoamYakov, PaludoX0, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, SpaceCake, TomJ, Tomio, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, bobirichman, brgltd, bulej93, c3phas, cRat1st0s, carlitox477, chrisdior4, csanuragjain, d3e4, defsec, delfin454000, djxploit, durianSausage, ellahi, erictee, fatherOfBlocks, gerdusx, gogo, ignacio, jag, ladboy233, m_Rassska, medikko, mics, natzuu, newfork01, oyc_109, paribus, pfapostol, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, sach1r0, saian, sashik_eth, sikorico, simon135

Awards

14.9678 USDC - $14.97

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

[G-01] Usage of Uint/Ints smaller than 256 bits incurs overhead

EVM operates on a 32bytes basis. If an element is smaller than 32bytes, the EVM has to perform an operation in order to get the desired size. As a result, defining elements smaller than 32bytes might result in higher gas cost. It is better to work with 256 bits and downcast where needed.

File : VotingEscrow.sol VotingEscrow.sol#L70 VotingEscrow.sol#L71 VotingEscrow.sol#L76 VotingEscrow.sol#L78

[G-02] - Use custom errors rather than revert()/require() strings

File : VotingEscrow.sol VotingEscrow.sol#L116 VotingEscrow.sol#L127 VotingEscrow.sol#L412 VotingEscrow.sol#L413 VotingEscrow.sol#L414 VotingEscrow.sol#L415 VotingEscrow.sol#L416 VotingEscrow.sol#L425 VotingEscrow.sol#L448:L470 VotingEscrow.sol#L502:L504 VotingEscrow.sol#L511 VotingEscrow.sol#L529:L531 VotingEscrow.sol#L563:L565 VotingEscrow.sol#L587:L589

[G-03] - Duplicated Require()/Revert() checks should be refactored to a modifier or function

File : VotingEscrow.sol Check : require(msg.sender == owner, « Only owner ») is observed 4 times VotingEscrow.sol#L140 VotingEscrow.sol#L147 VotingEscrow.sol#L154 VotingEscrow.sol#L162 VotingEscrow.sol#L171

[G-04] - Consider turning some constant variables to private to save gas

File : VotingEscrow.sol VotingEscrow.sol: 46 VotingEscrow.sol: 47 VotingEscrow.sol: 48

[G05] - It costs more gas to initialize variables to zero than to let the default of zero be applied.

File : VotingEscrow.sol VotingEscrow.sol#L229 VotingEscrow.sol#L230 VotingEscrow.sol#L298 VotingEscrow.sol#L309 VotingEscrow.sol#L313 VotingEscrow.sol#L717 VotingEscrow.sol#L834

[G06] - Consider using UNCHECKED{} for operation that cannot underflow to save gas

File : VotingEscrow.sol VotingEscrow.sol#L242 -> _oldLocked.end - block.timestamp cannot underflow giver condition at line 236 VotingEscrow.sol#L250 -> _newLocked.end - block.timestamp cannot underflow giver condition at line 244

[G07] ++I/I++ should be unchecked{++I}/unchecked{I++} when it is not possible for them to overflow (ie. In a for loop).

File : VotingEscrow.sol VotingEscrow.sol#L309 VotingEscrow.sol#L717 VotingEscrow.sol#L834

[G-08] - Pre-increments (++i) cost less gas than post-increment (i++), especially inside for loops.

File : VotingEscrow.sol VotingEscrow.sol#L309 VotingEscrow.sol#L717 VotingEscrow.sol#L834

[G-09] - Consider using a more recent version of solidity

Use a solidity version of at least 0.8.4 to get custom errors, which are cheaper at deployment than revert()/require() strings Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter