Back to Rohan16's contests

Axelar Network v2 contest - Rohan16's results

Decentralized interoperability network.

General Information

Platform: Code4rena

Start Date: 29/07/2022

Pot Size: $50,000 USDC

Total HM: 6

Participants: 75

Period: 5 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 149

League: ETH

Axelar Network

Findings Distribution

Researcher Performance

Rank: 35/75

Findings: 2

Award: $88.02

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAxelar Network

Findings Information

🌟 Selected for report: oyc_109

Also found by: 0x1f8b, 0x52, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, IllIllI, JC, Lambda, Noah3o6, NoamYakov, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Twpony, Waze, Yiko, __141345__, ajtra, apostle0x01, ashiq0x01, asutorufos, bardamu, benbaessler, berndartmueller, bharg4v, bulej93, c3phas, cccz, ch13fd357r0y3r, codexploder, cryptonue, cryptphi, defsec, djxploit, durianSausage, fatherOfBlocks, gogo, hansfriese, horsefacts, ignacio, kyteg, lucacez, mics, rbserver, robee, sashik_eth, simon135, sseefried, tofunmi, xiaoming90

Awards

56.8019 USDC - $56.80

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

1. USE OF FLOATING PRAGMA

Recommend using fixed solidity version

Instances

// Links to githubfile

https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/interfaces/IAxelarAuth.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/interfaces/IAxelarAuthWeighted.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/interfaces/IAxelarDepositService.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/interfaces/IDepositBase.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/interfaces/IAxelarGasService.sol#L3

// actual codes 

contracts/interfaces/IAxelarAuth.sol:3:pragma solidity ^0.8.9;
contracts/interfaces/IAxelarAuthWeighted.sol:3:pragma solidity ^0.8.9;
contracts/interfaces/IAxelarDepositService.sol:3:pragma solidity ^0.8.9;
contracts/interfaces/IDepositBase.sol:3:pragma solidity ^0.8.9;
contracts/interfaces/IAxelarGasService.sol:3:pragma solidity ^0.8.9;

2. safeApprove() is deprecated

This is probably an oversight since SafeERC20 was imported and safeTransfer() was used for ERC20 token transfers. Nevertheless, note that approve() will fail for certain token implementations that do not return a boolean value (). Hence it is recommend to use safeApprove().

Instances

//Links to github file

https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/ReceiverImplementation.sol#L38 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/ReceiverImplementation.sol#L64 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/AxelarDepositService.sol#L30

actual codes 
contracts/deposit-service/ReceiverImplementation.sol:38:        IERC20(tokenAddress).approve(gateway, amount);
contracts/deposit-service/ReceiverImplementation.sol:64:        IERC20(wrappedTokenAddress).approve(gateway, amount);
contracts/deposit-service/AxelarDepositService.sol:30:        IERC20(wrappedTokenAddress).approve(gateway, amount);

3. USE SAFETRANSFER()/SAFETRANSFERFROM() INSTEAD OF TRANSFER()/TRANSFERFROM()

It is a good idea to add a require() statement that checks the return value of ERC20 token transfers or to use something like OpenZeppelin’s safeTransfer()/safeTransferFrom() unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.

However, using require() to check transfer return values could lead to issues with non-compliant ERC20 tokens which do not return a boolean value. Therefore, it’s highly advised to use OpenZeppelin’s safeTransfer()/safeTransferFrom().

Instances

// Links to github file https://github.com/code-423n4/2022-07-axelar/blob/main/xc20/contracts/XC20Wrapper.sol#L107 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/AxelarGateway.sol#L501 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/AxelarGateway.sol#L523

//actual codes
xc20/contracts/XC20Wrapper.sol:107:            abi.encodeWithSelector(IERC20.transferFrom.selector, from, address(this), amount)
contracts/AxelarGateway.sol:501:                abi.encodeWithSelector(IERC20.transferFrom.selector, sender, address(this), amount)
contracts/AxelarGateway.sol:523:                IERC20.transferFrom.selector,

4. UNUSED/EMPTY RECEIVE()/FALLBACK() FUNCTION

If the intention is for the Ether to be used, the function should call another function, otherwise it should revert (e.g. require(msg.sender == address(weth)))

There are 2 instances of this issue:

Instances

//Links to githubfile https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/AxelarDepositServiceProxy.sol#L13 https://github.com/code-423n4/2022-07-axelar/blob/main/contractsdeposit-service/DepositReceiver.sol#L29

//actual codes
contracts/deposit-service/AxelarDepositServiceProxy.sol:13:    receive() external payable override {}
contracts/deposit-service/DepositReceiver.sol:29:    receive() external payable {}

5. Use of recent version of Solidity

Instances

// Links to githubfile

https://github.com/code-423n4/2022-07-axelar/blob/main/xc20/contracts/XC20Wrapper.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/interfaces/IAxelarAuth.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/interfaces/IAxelarAuthWeighted.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/interfaces/IAxelarDepositService.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/interfaces/IDepositBase.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/interfaces/IAxelarGasService..sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/ReceiverImplementation.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/AxelarDepositServiceProxy.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/DepositReceiver.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/DepositBase.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/AxelarDepositService.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/auth/AxelarAuthWeighted.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/AxelarGateway.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/gas-service/AxelarGasServiceProxy.sol#L3 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/gas-service/AxelarGasService.sol#L3

// actual codes 

xc20/contracts/XC20Wrapper.sol:3:pragma solidity 0.8.9;
contracts/interfaces/IAxelarAuth.sol:3:pragma solidity ^0.8.9;
contracts/interfaces/IAxelarAuthWeighted.sol:3:pragma solidity ^0.8.9;
contracts/interfaces/IAxelarDepositService.sol:3:pragma solidity ^0.8.9;
contracts/interfaces/IDepositBase.sol:3:pragma solidity ^0.8.9;
contracts/interfaces/IAxelarGasService.sol:3:pragma solidity ^0.8.9;
contracts/deposit-service/ReceiverImplementation.sol:3:pragma solidity 0.8.9;
contracts/deposit-service/AxelarDepositServiceProxy.sol:3:pragma solidity 0.8.9;
contracts/deposit-service/DepositReceiver.sol:3:pragma solidity 0.8.9;
contracts/deposit-service/DepositBase.sol:3:pragma solidity 0.8.9;
contracts/deposit-service/AxelarDepositService.sol:3:pragma solidity 0.8.9;
contracts/auth/AxelarAuthWeighted.sol:3:pragma solidity 0.8.9;
contracts/AxelarGateway.sol:3:pragma solidity 0.8.9;
contracts/gas-service/AxelarGasServiceProxy.sol:3:pragma solidity 0.8.9;
contracts/gas-service/AxelarGasService.sol:3:pragma solidity 0.8.9;

#0 - GalloDaSballo

2022-09-04T21:15:02Z

1. USE OF FLOATING PRAGMA

NC

2. safeApprove() is deprecated

Disputed as approve is used as intended in this codebase

3. USE SAFETRANSFER()/SAFETRANSFERFROM() INSTEAD OF TRANSFER()/TRANSFERFROM()

L

## 4. UNUSED/EMPTY RECEIVE()/FALLBACK() FUNCTION L

5. Use of recent version of Solidity

NC

2L 2NC

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0xNazgul, 0xsam, 8olidity, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Fitraldys, JC, Lambda, MiloTruck, Noah3o6, NoamYakov, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Tomio, Waze, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, benbaessler, bharg4v, bulej93, c3phas, defsec, djxploit, durianSausage, erictee, fatherOfBlocks, gerdusx, gogo, kyteg, lucacez, medikko, mics, owenthurm, oyc_109, rbserver, robee, sashik_eth, simon135, tofunmi

Awards

31.222 USDC - $31.22

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

1. IT COSTS MORE GAS TO INITIALIZE VARIABLES TO ZERO THAN TO LET THE DEFAULT OF ZERO BE APPLIED

// Links to github files https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/auth/AxelarAuthWeighted.sol#L68 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/auth/AxelarAuthWeighted.sol#L94 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/auth/AxelarAuthWeighted.sol#L95

// actual codes
contracts/auth/AxelarAuthWeighted.sol:68:        uint256 totalWeight = 0;+
contracts/auth/AxelarAuthWeighted.sol:94:        uint256 operatorIndex = 0;
contracts/auth/AxelarAuthWeighted.sol:95:        uint256 weight = 0;

2. ARRAY .LENGTH SHOULD NOT BE LOOKED UP IN EVERY LOOP OF A FOR-LOOP

The overheads outlined below are PER LOOP, excluding the first loop storage arrays incur a Gwarmaccess (100 gas) memory arrays use MLOAD (3 gas) calldata arrays use CALLDATALOAD (3 gas). Caching the length changes each of these to a DUP<N> (3 gas), and gets rid of the extra DUP<N> needed to store the stack offset

// Links to githubfile https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/AxelarDepositService.sol#L114 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/AxelarDepositService.sol#L168 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/deposit-service/AxelarDepositService.sol#L204 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/auth/AxelarAuthWeighted.sol#L17 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/auth/AxelarAuthWeighted.sol#L98 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/auth/AxelarAuthWeighted.sol#L17 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/AxelarGateway.sol#L207 https://github.com/code-423n4/2022-07-axelar/blob/main/contracts/gas-service/AxelarGasService.sol#L123

// actual codes
contracts/deposit-service/AxelarDepositService.sol:114:        for (uint256 i; i < refundTokens.length; i++) {
contracts/deposit-service/AxelarDepositService.sol:168:        for (uint256 i; i < refundTokens.length; i++) {
contracts/deposit-service/AxelarDepositService.sol:204:        for (uint256 i; i < refundTokens.length; i++) {
contracts/auth/AxelarAuthWeighted.sol:17:        for (uint256 i; i < recentOperators.length; ++i) {
contracts/auth/AxelarAuthWeighted.sol:98:        for (uint256 i = 0; i < signatures.length; ++i) 
contracts/AxelarGateway.sol:207:        for (uint256 i = 0; i < symbols.length; i++) 
contracts/gas-service/AxelarGasService.sol:123:        for (uint256 i; i < tokens.length; i++)

#0 - GalloDaSballo

2022-08-23T01:07:41Z

Less than 100 gas saved

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter