Trader Joe contest - Tomio's results

One-stop-shop decentralized trading on Avalanche.

General Information

Platform: Code4rena

Start Date: 25/01/2022

Pot Size: $50,000 USDT

Total HM: 17

Participants: 39

Period: 3 days

Judge: LSDan

Total Solo HM: 9

Id: 79

League: ETH

Trader Joe

Findings Distribution

Researcher Performance

Rank: 29/39

Findings: 2

Award: $132.15

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Trader Joe

Findings Information

🌟 Selected for report: cmichel

Also found by: Czar102, Ruhum, Tomio, WatchPug, defsec, hack3r-0m, hyh, saian

Labels

bug

duplicate

2 (Med Risk)

Awards

74.4672 USDT - $74.47

External Links

Link to GitHub issue

Handle

Tomio

Vulnerability details

Impact

in the https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeFactory.sol#L98 the user can create launchevent, and providing _token to the launchevent contract, however, some token may behave differently when handling a failed transfer and transferFrom, some token may handle failed transfer and transferFrom by returning a false condition rather than reverting the transaction, in this line https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeFactory.sol#L133 the return value is ignored, even though the transferFrom might handle failed transferFrom differently by returning a false. to fix this issue use SafeERC20, because not only does this contract handle the false return value, but also handles a token that was didn't comply with erc20.

Proof of Concept

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeFactory.sol#L133

Tools Used

Manual review

Recommended Mitigation Steps

#0 - cryptofish7
2022-01-31T00:42:05Z

Duplicate of #232

#1 - dmvt
2022-02-22T19:25:54Z

duplicate of #198

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Auditors

Browse

Contests

Browse

Get in touch

Contact Twitter

Findings Information

🌟 Selected for report: defsec

Also found by: Tomio

Labels

bug

duplicate

G (Gas Optimization)

Awards

17.9007 USDT - $17.90

External Links

Link to GitHub issue

Handle

Tomio

Vulnerability details

Impact

if the value is 0, will waste gas to transfer 0 value

Proof of Concept

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeStaking.sol#L125

Tools Used

Remix

Recommended Mitigation Steps

function withdraw(uint256 _amount) external {
        UserInfo storage user = userInfo[msg.sender];
        require(
            user.amount >= _amount,
            "RocketJoeStaking: withdraw amount exceeds balance"
        );

        updatePool();
        
        uint256 pending = (user.amount * accRJoePerShare) /
            PRECISION -
            user.rewardDebt;

        if(pending > 0){
            _safeRJoeTransfer(msg.sender, pending);
          }

        user.amount = user.amount - _amount;
        user.rewardDebt = (user.amount * accRJoePerShare) / PRECISION;

        joe.safeTransfer(address(msg.sender), _amount);
        emit Withdraw(msg.sender, _amount);

#0 - cryptofish7
2022-01-31T00:02:43Z

Duplicate of #71

Findings Information

🌟 Selected for report: Tomio

Labels

bug

G (Gas Optimization)

sponsor acknowledged

Awards

39.7792 USDT - $39.78

External Links

Link to GitHub issue

Handle

Tomio

Vulnerability details

Impact

Expensive gas

Proof of Concept

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L574

Tools Used

Remix

Recommended Mitigation Steps

add unchecked to save gas

function getRJoeAmount(uint256 _avaxAmount) public view returns (uint256) {
        unchecked{
        return _avaxAmount * rJoePerAvax;
        }
    }

Trader Joe contest - Tomio's results

One-stop-shop decentralized trading on Avalanche.

General Information

Findings Distribution

Researcher Performance

External Links

[M-13] transferFrom can return false, and didnt revert - $74.47

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - cryptofish72022-01-31T00:42:05Z

#1 - dmvt2022-02-22T19:25:54Z

Gas Report - $57.68

Gas Report - $57.68

[G-63] need to check if pending value = 0 - $17.90

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - cryptofish72022-01-31T00:02:43Z

🚀 [G-44] using `unchecked` can save gas - $39.78

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - cryptofish7
2022-01-31T00:42:05Z

#1 - dmvt
2022-02-22T19:25:54Z

#0 - cryptofish7
2022-01-31T00:02:43Z