Back to Tomio's contests

Joyn contest - Tomio's results

Launchpad for collaborative web3 media projects with blueprints, building blocks, and community support.

General Information

Platform: Code4rena

Start Date: 30/03/2022

Pot Size: $30,000 USDC

Total HM: 21

Participants: 38

Period: 3 days

Judge: Michael De Luca

Total Solo HM: 10

Id: 104

League: ETH

Joyn

Findings Distribution

Researcher Performance

Rank: 35/38

Findings: 1

Award: $43.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJoyn

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0xNazgul, 0xkatana, Dravee, Funen, Tomio, WatchPug, blackswordsman, defsec, hake, kenta, minhquanym, rayn, rfa, robee, saian, securerodd, ych18, z3s

Awards

43.7805 USDC - $43.78

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue
  1. !=0 more effective than < 0

Proof of Concept: https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreCollection.sol#L146 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreCollection.sol#L161 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreFactory.sol#L74-L77

Recommended Mitigation Steps: Change > 0 or < 0 to != 0

========================================================================

  1. unnecessary value set. the default value of uint is zero.

Proof of Concept: https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/MultiSigWallet.sol#L267 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/MultiSigWallet.sol#L98 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreCollection.sol#L279

Recommended Mitigation Steps: remove 0

========================================================================

  1. using ++i can save gas

Proof of Concept: https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreCollection.sol#L279 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreFactory.sol#L79 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/MultiSigWallet.sol#L98

Recommended Mitigation Steps: change i++ to ++i

========================================================================

  1. Using < is cheaper than <=

Proof of Concept: https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreCollection.sol#L147-L150

Recommended Mitigation Steps: Change from <= to <

require(
            totalSupply() + amount < maxSupply,
            "CoreCollection: Over Max Supply"
        );

========================================================================

  1. Caching .length for loop

Proof of Concept: https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreFactory.sol#L79 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/MultiSigWallet.sol#L98 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/MultiSigWallet.sol#L147 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/MultiSigWallet.sol#L268

Recommended Mitigation Steps:

uint256 newVar = _collections.length;
for (uint256 i; i < newVar; i++)

by caching _collections.length to newVar can save gas

========================================================================

  1. the best way to use SafeERC20.function for gas opt

Proof of Concept: https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreMultiSig.sol#L10

Recommended Mitigation Steps: by not declaring:

using SafeERC20 for IERC20;

and use:

SafeERC20.safeTransfer(IERC20(token), to, amount);

========================================================================

  1. Using == true cost more gas

Proof of Concept: https://github.com/code-423n4/2022-03-joyn/blob/main/royalty-vault/contracts/RoyaltyVault.sol#L43-L57

Recommended Mitigation Steps: Using == true to validate bool variable is unnecessary:

require(
            IERC20(royaltyAsset).transfer(splitterProxy, splitterShare),
            "Failed to transfer royalty Asset to splitter"
        );

========================================================================

  1. Using calldata to store struct data type can save gas

Proof of Concept: https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreFactory.sol#L72 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreFactory.sol#L80 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreFactory.sol#L110 https://github.com/code-423n4/2022-03-joyn/blob/main/core-contracts/contracts/CoreFactory.sol#L142

Recommended Mitigation Steps: Change to:

Collection[] calldata _collections

========================================================================

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter