Platform: Code4rena
Start Date: 12/07/2022
Pot Size: $75,000 USDC
Total HM: 16
Participants: 100
Period: 7 days
Judge: LSDan
Total Solo HM: 7
Id: 145
League: ETH
Rank: 39/100
Findings: 3
Award: $128.88
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rajatbeladiya
Also found by: 0x29A, 0xNineDec, Amithuddar, Aussie_Battlers, Ch_301, Dravee, GimelSec, IllIllI, Jujic, Limbooo, RedOneN, Ruhum, TomJ, _Adam, __141345__, alan724, asutorufos, berndartmueller, c3phas, cccz, cryptphi, durianSausage, fatherOfBlocks, hake, hyh, pashov, scaraven, zzzitron
5.45 USDC - $5.45
https://github.com/code-423n4/2022-07-ens/blob/main/contracts/ethregistrar/ETHRegistrarController.sol#L183 https://github.com/code-423n4/2022-07-ens/blob/main/contracts/ethregistrar/ETHRegistrarController.sol#L204
You should use call() instead of transfer(). If the recipient is a contract it might use more than 2300 gas which will make the transaction fail if the ETH was sent with transfer().
https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
Since the transfer is always at the end of the function, there shouldn't be any risk of reentrancy.
none
Use call() instead.
#0 - jefflau
2022-07-22T09:49:59Z
Duplicate of #133
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 8olidity, Aussie_Battlers, Bnke0x0, Ch_301, Critical, Deivitto, Dravee, ElKu, Funen, GimelSec, JC, JohnSmith, Lambda, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, TomJ, Waze, _Adam, __141345__, alan724, asutorufos, benbaessler, berndartmueller, bin2chen, brgltd, bulej93, c3phas, cRat1st0s, cryptonue, cryptphi, csanuragjain, delfin454000, dxdv, exd0tpy, fatherOfBlocks, gogo, hake, hyh, joestakey, kyteg, lcfr_eth, minhtrng, p_crypt0, pashov, pedr02b2, philogy, rajatbeladiya, rbserver, rishabh, robee, rokinot, sach1r0, sashik_eth, seyni, simon135, svskaushik, zuhaibmohd, zzzitron
83.5693 USDC - $83.57
The repository normally uses OZ's Ownable contract. But, the new DNSECImpl contract uses a custom Owned contract. There's no benefit in introducing another one doing the same thing. I recommend sticking to one.
Consider using a two-step process for transferring the ownership of a contract. While it costs a little more gas, it's safer than transferring directly.
Here's an example from the Compound Timelock contract: https://github.com/compound-finance/compound-protocol/blob/master/contracts/Timelock.sol#L45-L58
ABI encoder v2 is enabled by default. You don't have to explicitly enable it anymore, see https://github.com/ethereum/solidity/blob/develop/Changelog.md#080-2020-12-16
public keyword for constructors was removed in 0.7.0Constructors now don't have any extra keywords, see https://docs.soliditylang.org/en/v0.7.0/070-breaking-changes.html#functions-and-events. You should remove it.
It allows third parties to track those changes efficiently.
e.g.
Under- and overflow checks are built-in since 0.8.0. Using the SafeMath library is not necessary anymore.
Remove unused imports to clearly see which contracts and libraries the contract uses.
e.g.
🌟 Selected for report: 0xKitsune
Also found by: 0x040, 0x1f8b, 0x29A, 0xNazgul, 0xNineDec, 0xsam, 8olidity, Aussie_Battlers, Aymen0909, Bnke0x0, CRYP70, Ch_301, Chom, Deivitto, Dravee, ElKu, Fitraldys, Funen, GimelSec, IllIllI, JC, JohnSmith, Lambda, MiloTruck, Noah3o6, RedOneN, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Tomio, Waze, _Adam, __141345__, ajtra, ak1, arcoun, asutorufos, benbaessler, brgltd, bulej93, c3phas, cRat1st0s, cryptonue, delfin454000, durianSausage, fatherOfBlocks, gogo, hake, hyh, joestakey, karanctf, kyteg, lcfr_eth, lucacez, m_Rassska, rajatbeladiya, rbserver, robee, rokinot, sach1r0, sahar, samruna, sashik_eth, seyni, simon135, zuhaibmohd
39.8559 USDC - $39.86
Since the loop's variable can't overflow in most circumstances, you can safe gas by incrementing it inside a unchecked block:
for (uint i; i < length;) { unchecked { ++i; } }
e.g.
In the ETHRegistraryController contract, you allow the user to pay more than necessary for the registration. Any surplus amount is then refunded.
If you force the user to pay the exact amount, you can remove the refund logic and thus save gas.
#0 - jefflau
2022-08-01T10:11:27Z
G-02: Don't allow the user to send more ETH than necessary allows you to remove the refund logic
Intended behavior because the amount of ETH varies based on the oracle.