Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $30,000 USDC
Total HM: 6
Participants: 93
Period: 3 days
Judge: gzeon
Id: 118
League: ETH
Rank: 39/93
Findings: 3
Award: $94.36
🌟 Selected for report: 0
🚀 Solo Findings: 0
48.5872 USDC - $48.59
Judge has assessed an item in Issue #91 as Medium risk. The relevant finding follows:
call instead of sendaffected code:
Use of transfer() might render ETH impossible to withdraw because after istanbul hardfork , there is increases in the gas cost of the SLOAD operation and therefore breaks some existing smart contracts.Those contracts will break because their fallback functions used to consume less than 2300 gas, and they’ll now consume more, since 2300 the amount of gas a contract’s fallback function receives if it’s called via Solidity’s transfer() or send() methods. Any smart contract that uses transfer() or send() is taking a hard dependency on gas costs by forwarding a fixed amount of gas: 2300.
https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
https://blog.openzeppelin.com/opyn-gamma-protocol-audit/
transfer return true or notaffected code
there are some tokens that won't revert if the transaction failed, instead, it will return a boolean.
Recommend mitigation
token.transfer(msg.sender, amount);#0 - gzeoneth
2022-06-18T19:19:15Z
Duplicate of #254
🌟 Selected for report: defsec
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0x52, 0xDjango, 0xf15ers, 0xkatana, 0xliumin, AuditsAreUS, BowTiedWardens, CertoraInc, Cr4ckM3, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, Picodes, Ruhum, TerrierLover, TrungOre, VAD37, WatchPug, berndartmueller, broccolirob, catchup, cccz, cryptphi, csanuragjain, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, hubble, hyh, ilan, joestakey, kebabsec, kenta, kenzo, leastwood, m9800, marximimus, minhquanym, oyc_109, p4st13r4, pauliax, pedroais, peritoflores, plotchy, rajatbeladiya, reassor, rfa, robee, rotcivegaf, samruna, shenwilly, shung, simon135, sorrynotsorry, sseefried, teddav, throttle, tintin, unforgiven, z3s
30.2807 USDC - $30.28
tags: c4, 2022-05-runes
call instead of sendaffected code:
Use of transfer() might render ETH impossible to withdraw because after istanbul hardfork , there is increases in the gas cost of the SLOAD operation and therefore breaks some existing smart contracts.Those contracts will break because their fallback functions used to consume less than 2300 gas, and they’ll now consume more, since 2300 the amount of gas a contract’s fallback function receives if it’s called via Solidity’s transfer() or send() methods. Any smart contract that uses transfer() or send() is taking a hard dependency on gas costs by forwarding a fixed amount of gas: 2300.
https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
https://blog.openzeppelin.com/opyn-gamma-protocol-audit/
transfer return true or notaffected code
there are some tokens that won't revert if the transaction failed, instead, it will return a boolean.
Recommend mitigation
token.transfer(msg.sender, amount);affected code
As in the timeline, we can see that daStartTime <= minListStartTime. But in the setPhaseTime() function, the function hasn't checked the condition if daStartTime <= minListStartTime or not.
🌟 Selected for report: BowTiedWardens
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xProf, 0xc0ffEE, 0xf15ers, 0xkatana, 0xliumin, ACai, AlleyCat, CertoraInc, Cityscape, Cr4ckM3, DavidGialdi, Dinddle, FSchmoede, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, MiloTruck, Picodes, RoiEvenHaim, Tadashi, TerrierLover, TrungOre, VAD37, WatchPug, antonttc, catchup, defsec, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, ilan, joestakey, kebabsec, kenta, kenzo, marximimus, minhquanym, noobie, oyc_109, p4st13r4, pauliax, rajatbeladiya, reassor, rfa, robee, rotcivegaf, saian, samruna, shenwilly, shung, simon135, slywaters, sorrynotsorry, throttle, unforgiven, z3s
15.491 USDC - $15.49
tags: c4, 2022-05-runes
external instead of publicAll these function described should be declared external, as functions that are never called by the contract should be declared external to save gas. afftected code:
Affected code
Because
==> we can deduce that numSold <= maxDaSupply - numWarriors <= maxDaSupply - 1 < maxDaSupply. So we don't need to check numSold < maxDaSupply.
Affected code
Because
==> we can deduce that numSold <= maxForSale - numWarriors <= maxForSale - 1 < maxForSale. So we don't need to check numSold < maxForSale.
currentPrice calculationAffected code
Instead of calculating currentPrice like this, we can
if (startPrice < lowestPrice + stepDeduction) { return lowestPrice; } return startPrice - stepDeduction;