Platform: Code4rena
Start Date: 04/01/2022
Pot Size: $25,000 USDC
Total HM: 3
Participants: 40
Period: 3 days
Judge: Ivo Georgiev
Total Solo HM: 1
Id: 75
League: ETH
Rank: 7/40
Findings: 2
Award: $836.99
π Selected for report: 1
π Solo Findings: 0
37.3718 USDC - $37.37
Tomio
owner can call function setLockPeriods even when the owner inputting the destination array length and multiplier array length is different.
execution succed when inputting imbalance array length example: input duration: [1,2} input multiplier: [1]
Remix - Ethereum IDE
#0 - deluca-mike
2022-01-05T19:21:31Z
If there are more multipliers than durations, then the extra multipliers are ignored. If there are more durations than multipliers, then the function will revert anyway. Further, if the admin did make a mistake, they can just call the function again. This is no-risk.
#1 - deluca-mike
2022-01-09T10:39:03Z
Duplicate #38
18.2673 USDC - $18.27
Tomio
in solidity 0.8 there's already default check for underflow and overflow. however this default check cost more gas than using unchecked and required for the calculation of underflow and overflow check.
pragma solidity =0.8.10; contract test { function nounchecked(uint amount1, uint amount2)external returns(uint){ return amount1 - amount2; // 22307 gas } function _unchecked(uint amount1, uint amount2)external returns(uint){ unchecked{ require(amount2 <= amount1); return amount1 - amount2; } // 22129 gas } }
Remix - Ethereum IDE
#0 - deluca-mike
2022-01-05T11:34:40Z
Kind of general, but yes, we will use unchecked everywhere possible.
#1 - deluca-mike
2022-01-09T10:35:46Z
Duplicate #9 and #49
π Selected for report: Tomio
781.3514 USDC - $781.35
Tomio
in function setLockPeriods multiplier can be set to lower than 100 which will break the calculation when dividing the multiplier in function lock https://github.com/XDeFi-tech/xdefi-distribution/blob/master/contracts/XDEFIDistribution.sol#L268. If the amount times bonus multiplier below 100 the units value will be 0, therefore the totalUnits won't be added but the positionOf[tokenId] bill be added.
https://github.com/XDeFi-tech/xdefi-distribution/blob/master/contracts/XDEFIDistribution.sol#L77 https://github.com/XDeFi-tech/xdefi-distribution/blob/master/contracts/XDEFIDistribution.sol#L268
in function setLockPeriods need to be add
uint256 count = durations_.length; for (uint256 i; i < count; ++i) { require(multipliers >= 100); //added uint256 duration = durations_[i]; require(duration <= uint256(18250 days), "INVALID_DURATION"); emit LockPeriodSet(duration, bonusMultiplierOf[duration] = multipliers[i]); } }
#0 - deluca-mike
2022-01-05T19:19:36Z
Supporting less that 100 (i.e. less than 1x) was intended behaviour (i.e. 30-day lockup gets you normal rewards, and, say 0-day lockups gets you 0.5x rewards). However, there is a good catch that the resulting units from the calculation should be checked for 0 (instead of checking the amount_ argument for 0), since that's a better and more all-encompassing way to filter out amount that are too low (or zero) after taking the multiplier into account.
#1 - deluca-mike
2022-01-14T03:35:06Z
As alluded to above, bonusMultiplier is allowed to be below 100, and amount_ is no longer validated, and instead, resulting units are validated.
#2 - Ivshti
2022-01-16T06:05:18Z
valid finding