Platform: Code4rena
Start Date: 12/09/2022
Pot Size: $75,000 USDC
Total HM: 19
Participants: 110
Period: 7 days
Judge: HardlyDifficult
Total Solo HM: 9
Id: 160
League: ETH
Rank: 12/110
Findings: 3
Award: $639.56
🌟 Selected for report: 0
🚀 Solo Findings: 0
521.8703 USDC - $521.87
https://github.com/PartyDAO/party-contracts-c4/blob/d129d647796369a18e30b336e74e7d1bfc779597/contracts/crowdfund/Crowdfund.sol#L322 https://github.com/PartyDAO/party-contracts-c4/blob/d129d647796369a18e30b336e74e7d1bfc779597/contracts/distribution/TokenDistributor.sol#L390
There is function _hashFixedGovernanceOpts in Crowdfund contract and function _getDistributionHash in TokenDistributor contract. The first one truncates the hash result to 16 bytes, the second to 15 bytes.
It is possible to find a collision for such truncated hash using algorithm with O(2^(hash_bitlenght/2) * T) time complexity where T is the complexity of hash calculation (according to the Birthday Problem). And it will cost not too much money, according to the current hash computing power. So usage of such hash function is not safe at all.
Don't truncate the hash result so much. Ideally, use all 32 bytes of the hash result.
#0 - merklejerk
2022-09-22T16:28:36Z
Duplicate of #231
🌟 Selected for report: Lambda
Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xDanielC, 0xNazgul, 0xSmartContract, 0xbepresent, Anth3m, Aymen0909, B2, CRYP70, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Funen, JC, JansenC, Jeiwan, KIntern_NA, MasterCookie, MiloTruck, Olivierdem, PaludoX0, R2, RaymondFam, ReyAdmirado, StevenL, The_GUILD, Tomo, Trust, V_B, __141345__, asutorufos, ayeslick, bin2chen, brgltd, bulej93, c3phas, cccz, ch0bu, cryptphi, csanuragjain, d3e4, delfin454000, djxploit, erictee, fatherOfBlocks, gogo, hansfriese, indijanc, ladboy233, leosathya, lukris02, malinariy, martin, pedr02b2, pfapostol, rvierdiiev, slowmoses, smiling_heretic, tnevler, wagmi
82.3371 USDC - $82.34
It is reasonable to use calldata instead of memory for input arrays in external functions to reduce gas consumption and make the code more clear. As an example, createParty function from PartyFactory contract should be changed.
It is reasonable to use in LibGlobals library an enum instead of 22 constants.
There is a _rebalanceDelegates function in PartyGovernance. For the case when oldDelegate parameter equals to newDelegate parameter it will be more clear to use special check and update, instead of doing more complicated interdependent logic.
MarketWrappers don't have payable functions but function bid sends something.
#0 - HardlyDifficult
2022-10-03T21:44:38Z
🌟 Selected for report: CertoraInc
Also found by: 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xNazgul, 0xSmartContract, 0xkatana, Amithuddar, Aymen0909, B2, Bnke0x0, CRYP70, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diraco, Fitraldys, Funen, IgnacioB, JAGADESH, JC, Lambda, LeoS, Matin, Metatron, MiloTruck, Noah3o6, Ocean_Sky, Olivierdem, PaludoX0, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Saintcode_, Sm4rty, SnowMan, StevenL, Tomio, Tomo, V_B, Waze, __141345__, ajtra, asutorufos, aysha, brgltd, bulej93, c3phas, ch0bu, d3e4, delfin454000, dharma09, djxploit, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, got_targ, ignacio, jag, karanctf, ladboy233, leosathya, lukris02, m_Rassska, malinariy, martin, natzuu, pashov, peanuts, peiw, pfapostol, prasantgupta52, robee, simon135, slowmoses, sryysryy, tnevler
35.3477 USDC - $35.35
It is reasonable to use calldata instead of memory for input arrays in external functions to reduce gas consumption and make the code more clear. As an example, createParty function from PartyFactory contract should be changed.