Back to Tadev's contests

ENS - Tadev's results

Decentralized naming for wallets, websites, & more.

General Information

Platform: Code4rena

Start Date: 05/10/2023

Pot Size: $33,050 USDC

Total HM: 1

Participants: 54

Period: 6 days

Judge: hansfriese

Id: 294

League: ETH

ENS

Findings Distribution

Researcher Performance

Rank: 48/54

Findings: 1

Award: $5.43

QA:
grade-b

šŸŒŸ Selected for report: 0

šŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryENS

Findings Information

šŸŒŸ Selected for report: thekmj

Also found by: 0x3b, 33BYTEZZZ, Bauchibred, Chom, Dravee, J4X, Limbooo, Maroutis, MiloTruck, MrPotatoMagic, SBSecurity, Sathish9098, Tadev, ZanyBonzy, adam-idarrha, adriro, btk, hyh, lukejohn, nmirchev8, peakbolt, radev_sw, rvierdiiev

Awards

5.4311 USDC - $5.43

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
edited-by-warden
Q-21

External Links

Link to GitHub issue

[Lā€‘01] Missing checks in _delegateMulti function for 0 values in amounts array

https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L68

Internal _delegateMulti function should check that uint256[] calldata amounts array doesn't contain any value equal to 0. If it does, it will finally result in calling transferfrom with amount equal to zero, which is not a desired behavior, as it will consume gas for no action.

Recommended Mitigation Steps : Adding a check in the for loop could prevent executing transferfrom with 0 amount, and continue to the next iteration of the loop.

For example, we could add the check after this line : https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L96

if (amount == 0) {
  continue;
}

[Lā€‘02] A user might need to do 2 transactions to initiate a delegation with ERC20MultiDelegate contract

https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L160

In order to create a delegation for the first time using ERC20MultiDelegate contract, a user would need to call delegateMulti function, providing no source (or 0 address), one target representing the account to delegate voting power to, and one amount.

delegateMulti function will internally call _delegateMulti function, which will internally call createProxyDelegatorAndTransfer function. Then, the proxy is deployed if no one delegated to the specified account before, and the following line is finally executed : token.transferFrom(msg.sender, proxyAddress, amount).

This means the user first of all needs to send a transaction to the ERC20 token contract, in order to approve at least the amount specified in delegateMulti function inputs. This could be not user-friendly, especially if the token used in ERC20MultiDelegate doesn't implement ERC20permit extension.

Impact : This issue could lead to poor user experience when using ERC20MultiDelegate to delegate voting power of a token that doesn't implement ERC20permit extension, as the Sponsors told us on the discord that ERC20MultiDelegate contract could be used with any ERC20 contract.

Recommended Mitigation Steps : Make sure the ERC20 token used within ERC20MultiDelegate is implementing ERC20permit properly. If not, this will result in the requirement of 2 transactions for the user to initiate a delegation.

#0 - c4-pre-sort

2023-10-13T11:35:15Z

141345 marked the issue as sufficient quality report

#1 - c4-judge

2023-10-24T16:28:12Z

hansfriese marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Ā© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter