Golom contest - Soosh's results

An NFT marketplace that offers the lowest industry fee, a publicly available order-book along with analytical tools.

General Information

Platform: Code4rena

Start Date: 26/07/2022

Pot Size: $75,000 USDC

Total HM: 29

Participants: 179

Period: 6 days

Judge: LSDan

Total Solo HM: 6

Id: 148

League: ETH

Golom

Findings Distribution

Researcher Performance

Rank: 147/179

Findings: 1

Award: $35.17

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Golom

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x4non, 0x52, 0xA5DF, 0xDjango, 0xLovesleep, 0xNazgul, 0xNineDec, 0xSmartContract, 0xackermann, 0xc0ffEE, 0xf15ers, 0xmatt, 0xsanson, 0xsolstars, 8olidity, AuditsAreUS, Bahurum, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chom, CryptoMartian, Deivitto, DevABDee, Dravee, ElKu, Franfran, Funen, GalloDaSballo, GimelSec, GiveMeTestEther, Green, JC, Jmaxmanblue, JohnSmith, Jujic, Junnon, Kenshin, Krow10, Kumpa, Lambda, MEP, Maxime, MiloTruck, Mohandes, NoamYakov, Picodes, RedOneN, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, Soosh, StErMi, StyxRave, Tadashi, TomJ, Treasure-Seeker, TrungOre, Waze, _Adam, __141345__, ajtra, ak1, apostle0x01, arcoun, asutorufos, async, benbaessler, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, carlitox477, chatch, codetilda, codexploder, cryptonue, cryptphi, csanuragjain, cthulhu_cult, delfin454000, dipp, dirk_y, djxploit, ellahi, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, horsefacts, hyh, idkwhatimdoing, indijanc, jayfromthe13th, jayphbee, joestakey, kenzo, kyteg, lucacez, luckypanda, mics, minhquanym, obront, oyc_109, pedr02b2, rajatbeladiya, rbserver, reassor, robee, rokinot, rotcivegaf, sach1r0, saian, saneryee, sashik_eth, scaraven, shenwilly, simon135, sseefried, supernova, teddav, ych18, zuhaibmohd, zzzitron

Awards

35.1687 USDC - $35.17

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

Low severity findings

GolomToken totalSupply can be slightly above the 1 billion cap

In the documentation (https://docs.golom.io/tokenomics-and-airdrop), the Golom Token should have a maximum supply of 1Billion Golom Tokens.
The actual maximum supply will be slightly above this number due to the addFee() emissions. The last emission can result in totalSupply >= 1_000_000_000

if (rewardToken.totalSupply() > 1000000000 * 10**18) {
	return;
}

The emissions rate depends on the number of stakers and totalSupply at the time so no definite number can be given.

Example: Say that totalSupply() is at 999_900_000 and total staked is 200_000_000.

uint256 tokenToEmit = (dailyEmission * (rewardToken.totalSupply() - rewardToken.balanceOf(address(ve)))) / rewardToken.totalSupply();

tokensToEmit = (600,000 * (999,900,000 - 200,000,000)) / 999,900,000 tokensToEmit = 479988 totalSupply = 999,900,000 + 4799878 totalSupply = 1,000,379,988

Recommendations:

Additonal logic can be explicitly added (additonal gas costs for each time addFee() is called)
Or, accept that Max supply can be slightly over 1 billion

Link:

https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/rewards/RewardDistributor.sol#L100

QA Findings

GolomToken symbol differs from documentation

The symbol for GolomToken in the docs (https://docs.golom.io/tokenomics-and-airdrop) is $GOLOM but the GolomToken in contracts has the symbol $GOL

Link:

https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/governance/GolomToken.sol#L28

VoteEscrow tokens have different name and symbol from documentation

name and symbol of VoteEscrowCore.sol is 'veNFT'. The documentation (https://docs.golom.io/rewards) suggests it should be called 'veGOLOM'.

Link:

https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/vote-escrow/VoteEscrowCore.sol#L317

Time values can be more readable

Instead of

uint256 internal constant MAXTIME = 4 * 365 * 86400;
int128 internal constant iMAXTIME = 4 * 365 * 86400;
uint256 constant secsInDay = 24 * 60 * 60;

It can be more readable

uint256 internal constant MAXTIME = 4 years;
int128 internal constant iMAXTIME = 4 years;
uint256 constant secsInDay = 1 days;

Links:

For example, instead of

require(status == 3);

It can be cleaner

require(status == VALID);

Recommended enums:

enum OrderStatus {
	INVALID,
	EXPIRED,
	FILLED_OR_CANCELLED,
	VALID
}

enum OrderType {
	ASK,
	BID,
	CRITERIA_BID
}

Link:

Unneeded if check

The signaturesigner != o.signer if check is not needed as if it were true, the transaction would have already reverted from the above require(signaturesigner == o.signer, 'invalid signature') check.

require(signaturesigner == o.signer, 'invalid signature');
if (signaturesigner != o.signer) {
	return (0, hashStruct, 0);
}

Link:

https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/core/GolomTrader.sol#L178

Golom contest - Soosh's results

An NFT marketplace that offers the lowest industry fee, a publicly available order-book along with analytical tools.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-117] QA Report - $35.17

Findings Information

Awards

Labels

External Links

Low severity findings

GolomToken totalSupply can be slightly above the 1 billion cap

Recommendations:

QA Findings

GolomToken symbol differs from documentation

VoteEscrow tokens have different name and symbol from documentation

Time values can be more readable

Recommend using enums for orderType and order status for better code readability

Unneeded if check