Platform: Code4rena
Start Date: 01/07/2022
Pot Size: $75,000 USDC
Total HM: 17
Participants: 105
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 5
Id: 143
League: ETH
Rank: 60/105
Findings: 2
Award: $127.51
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xdanial, 0xf15ers, Bnke0x0, Ch_301, Chandr, Chom, Funen, GimelSec, Hawkeye, JC, Kaiziron, Lambda, Meera, MiloTruck, Noah3o6, Picodes, ReyAdmirado, Rohan16, Sm4rty, TerrierLover, TomJ, Waze, _Adam, __141345__, asutorufos, aysha, berndartmueller, brgltd, cccz, codexploder, defsec, delfin454000, djxploit, durianSausage, fatherOfBlocks, hake, horsefacts, hubble, jayfromthe13th, joestakey, jonatascm, m_Rassska, oyc_109, pashov, rajatbeladiya, rbserver, robee, sach1r0, sahar, samruna, simon135, svskaushik, zzzitron
89.271 USDC - $89.27
#1 State directory and operatorstore in public immutable stored properties was missing Impact constructor cant initialize the directory and operatorStore due to state of directory and operatorstore was missing
Proof of Concept https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBTokenStore.sol#L160
Tool Used Manual review
Recommendation Mitigation Steps Add directory and operatorStore state and make it immutable in public immutable stored properties
#2 State operatorstore in public immutable stored properties was missing Impact constructor cant initialize the operatorStore due to state of operatorstore was missing
Proof of Concept https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBSplitsStore.sol#L120
Tool Used Manual review
Recommendation Mitigation Steps Add operatorStore state and make it immutable in public immutable stored properties
#3 State owner was missing Impact constructor cant initialize the owner due to state of owner was missing
Proof of Concept https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBPrices.sol#L89
Tool Used Manual review
Recommendation Mitigation Steps Add state owner and make it immutable
#4 Missing state of owner and operatorStore Impact constructor cant initialize the owner and operatorStore due to state of owner and operatorstore was missing
Proof of Concept https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBDirectory.sol#L182
Tool Used Manual review
Recommendation Mitigation Steps Add owner and operatorStore state and make it immutable in public immutable stored properties
#5 Missing state operatorStore Impact constructor cant initialize the operatorStore due to state of operatorstore was missing
Proof of Concept https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBController.sol#L369
Tool Used Manual review
Recommendation Mitigation Steps Add owner and operatorStore state and make it immutable in public immutable stored properties
#6 Missing msg.value = 0 Impact cant save gas due to missing msg.value==0 in constructor
Tool Used Manual review
Recommendation Mitigation Steps add require(msg.value==0, msg.value must be 0)
#7 Must be external Impact Public functions that are never called by the contract should be declared external to make cheaper gas.
Proof of Concept https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBETHPaymentTerminal.sol#L75
Tool Used Manual Review
Recommendation Mitigation Steps change visibility internal to external
#8 Missing emit Impact Off-chain tools will not work as expected.
Tool Used Manual Review
Recommendation Mitigation Steps Add emit addToBalanceOf(_projectId, _amount, token, !isFeelessAddress[msg.sender], _memo, _metadata);
#0 - drgorillamd
2022-08-18T09:17:42Z
All the findings are incorrect:
🌟 Selected for report: 0xA5DF
Also found by: 0v3rf10w, 0x09GTO, 0x1f8b, 0x29A, 0xDjango, 0xKitsune, 0xNazgul, 0xdanial, 0xf15ers, Aymen0909, Bnke0x0, Ch_301, Cheeezzyyyy, Chom, ElKu, Funen, Hawkeye, IllIllI, JC, JohnSmith, Kaiziron, Lambda, Limbooo, Meera, Metatron, MiloTruck, Noah3o6, Picodes, Randyyy, RedOneN, ReyAdmirado, Rohan16, Saintcode_, Sm4rty, TomJ, Tomio, Tutturu, UnusualTurtle, Waze, _Adam, __141345__, ajtra, apostle0x01, asutorufos, brgltd, c3phas, cRat1st0s, codexploder, defsec, delfin454000, djxploit, durianSausage, exd0tpy, fatherOfBlocks, hake, horsefacts, ignacio, jayfromthe13th, joestakey, jonatascm, kaden, kebabsec, m_Rassska, mektigboy, mrpathfindr, oyc_109, rajatbeladiya, rbserver, rfa, robee, sach1r0, sashik_eth, simon135
38.2406 USDC - $38.24
#1 Use Calldata instead memory
In the external functions where the function argument is read-only, the function() has an inputed parameter that using memory, if this function didnt change the parameter, its cheaper to use calldata then memory. so we suggest to change it.
#2 Use storage instead memory
Use storage instead of memory to reduce the gas fee. i suggest change from
JBFundingCycle memory _fundingCycle;
to
JBFundingCycle storage _fundingCycle;
apply to others.
#3 Looping
default uint is 0 so remove unnecassary explicit can reduce gas. caching the array length can reduce gas it caused access to a local variable is more cheap than query storage / calldata / memory in solidity. pre increment e.g ++i more cheaper gas than post increment e.g i++. i suggest to use pre increment.
#4 Default uint
the default value of uint is 0, so remove unnecassary explicit code initializations for default values e.g uint i = 0; to uint i;.
#5 Caching _terminals.length
caching _terminals.length to memory because use multiple times can reduce the gas. add some code like
if (_terminals.length > 1) for (uint256 _i; _i < _terminals.length; _i++) for (uint256 _j = _i + 1; _j < _terminals.length; _j++)
to
uint256 terminalsLength = _terminals.length; if (terminalsLength > 1) for (uint256 _i; _i < terminalsLength; _i++) for (uint256 _j = _i + 1; _j < terminalsLength; _j++)
#6 Use !=0 instead >0
for unsigned integer, >0 is less efficient then !=0, so use !=0 instead of >0. apply to others
#7 Caching ierc20(token)
caching IERC20(token) to memory because use multiple times can reduce the gas. add some code like #5
#8 Cache (_name).length
caching (_name).length) to memory because mload more cheaper than sload. it can reduce the gas
#9 Cache (_symbol).length
caching (_symbol).length) to memory because mload more cheaper than sload. it can reduce the gas
#10 cache _totalEligibleTokens
caching _totalEligibleTokens to memory because use multiple times can reduce the gas. add some code like #5