Back to TomJ's contests

Canto Dex Oracle contest - TomJ's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 07/09/2022

Pot Size: $20,000 CANTO

Total HM: 7

Participants: 65

Period: 1 day

Judge: 0xean

Total Solo HM: 3

Id: 159

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 39/65

Findings: 1

Award: $39.22

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: lukris02

Also found by: 0x040, 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xSky, Bnke0x0, Bronicle, CertoraInc, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, EthLedger, IgnacioB, JC, JansenC, Jeiwan, R2, RaymondFam, ReyAdmirado, Rolezn, SinceJuly, TomJ, Tomo, Yiko, a12jmx, ajtra, ak1, codexploder, cryptphi, csanuragjain, erictee, fatherOfBlocks, gogo, hake, hansfriese, hickuphh3, ignacio, ontofractal, oyc_109, p_crypt0, pashov, peritoflores, rajatbeladiya, rbserver, rokinot, rvierdiiev, tnevler

Awards

242.8216 CANTO - $39.22

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Table of Contents

Low Risk Issues

  • Performing a Multiplication on the Result of a Division

Non-critical Issues

  • Define Magic Numbers to Constant

Low Risk Issues

Performing a Multiplication on the Result of a Division

Issue

Solidity integer division might truncate. As a result, performing multiplication before division can sometimes avoid loss of precision. Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#divide-before-multiply

PoC
  1. Line 582 of getPriceLP() of BaseV1-periphery.sol
            uint token0TVL = assetReserves[i] * (prices[i] / decimals);

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L582

Mitigation

Consider ordering multiplication before division.

 

Non-critical Issues

Define Magic Numbers to Constant

Issue

It is best practice to define magic numbers to constant rather than just using as a magic number. This improves code readability and maintainability.

PoC
  1. Magic number: 10
./BaseV1-periphery.sol:18:            return 1e18 * 1e18 / (10 ** decimals); //Scale Price as a mantissa to maintain precision in comptroller
./BaseV1-periphery.sol:22:            return 1e18 * 1e18 / (10 ** decimals); //Scale Price as a mantissa to maintain precision in comptroller
./BaseV1-periphery.sol:46:        uint decimals = 10 ** token.decimals(); // get decimals of token
./BaseV1-periphery.sol:58:        uint decimals = 10 ** token.decimals();
./BaseV1-periphery.sol:75:                decimals = 10 ** (erc20(token1).decimals()); // we must normalize the price of token1 to 18 decimals
./BaseV1-periphery.sol:79:                decimals = 10 ** (erc20(token0).decimals());
./BaseV1-periphery.sol:85:                decimals = 10 ** (erc20(token1).decimals());
./BaseV1-periphery.sol:89:                decimals = 10 ** (erc20(token0)).decimals();
  1. Magic number: 1e18
./BaseV1-periphery.sol:18:            return 1e18 * 1e18 / (10 ** decimals); //Scale Price as a mantissa to maintain precision in comptroller
./BaseV1-periphery.sol:22:            return 1e18 * 1e18 / (10 ** decimals); //Scale Price as a mantissa to maintain precision in comptroller
Mitigation

Define magic numbers to constant.

 

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter