LSD Network - Stakehouse contest - Udsen's results

A permissionless 3 pool liquid staking solution for Ethereum.

General Information

Platform: Code4rena

Start Date: 11/11/2022

Pot Size: $90,500 USDC

Total HM: 52

Participants: 92

Period: 7 days

Judge: LSDan

Total Solo HM: 20

Id: 182

League: ETH

Stakehouse Protocol

Findings Distribution

Researcher Performance

Rank: 81/92

Findings: 1

Award: $52.03

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Stakehouse Protocol

Findings Information

🌟 Selected for report: 0xSmartContract

Also found by: 0x4non, 0xNazgul, 0xRoxas, 0xdeadbeef0x, 0xmuxyz, 9svR6w, Awesome, Aymen0909, B2, Bnke0x0, CloudX, Deivitto, Diana, Franfran, IllIllI, Josiah, RaymondFam, ReyAdmirado, Rolezn, Sathish9098, Secureverse, SmartSek, Trust, Udsen, a12jmx, aphak5010, brgltd, bulej93, c3phas, ch0bu, chaduke, chrisdior4, clems4ever, cryptostellar5, datapunk, delfin454000, fs0c, gogo, gz627, hl_, immeas, joestakey, lukris02, martin, nogo, oyc_109, pashov, pavankv, peanuts, pedr02b2, rbserver, rotcivegaf, sahar, sakman, shark, tnevler, trustindistrust, zaskoh, zgo

Awards

52.0338 USDC - $52.03

Labels

bug

grade-b

QA (Quality Assurance)

Q-34

External Links

Link to GitHub issue

1. Target address is not checked for address(0). if address(0) is passed as the target the call function will return true. But the transaction will fail.

Should check for the non-zero target address. require(target != address(0), "Zero address");

https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/smart-wallet/OwnableSmartWallet.sol#L78

2. revert error message is given as ZeroAddress(). But it is checking for `_recipient == address(this)`.

It is advisable to create a new error message for this condition as ThisAddress() in SyndicateErrors.sol and import it into Syndicate.sol.

There are 2 instances of this issue:

https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/syndicate/Syndicate.sol#643 https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/syndicate/Syndicate.sol#296

#0 - c4-judge
2022-12-02T19:52:50Z

dmvt marked the issue as grade-b

LSD Network - Stakehouse contest - Udsen's results

A permissionless 3 pool liquid staking solution for Ethereum.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-34] QA Report - $52.03

Findings Information

Awards

Labels

External Links

1. Target address is not checked for address(0). if address(0) is passed as the target the call function will return true. But the transaction will fail.

2. revert error message is given as ZeroAddress(). But it is checking for _recipient == address(this).

#0 - c4-judge2022-12-02T19:52:50Z

2. revert error message is given as ZeroAddress(). But it is checking for `_recipient == address(this)`.

#0 - c4-judge
2022-12-02T19:52:50Z