Platform: Code4rena
Start Date: 04/01/2022
Pot Size: $25,000 USDC
Total HM: 3
Participants: 40
Period: 3 days
Judge: Ivo Georgiev
Total Solo HM: 1
Id: 75
League: ETH
Rank: 25/40
Findings: 2
Award: $55.31
π Selected for report: 1
π Solo Findings: 0
13.1525 USDC - $13.15
agusduha
There are some public functions that should be external to save gas
withdrawableOf: https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L156-L159
Change public functions to external functions
#0 - deluca-mike
2022-01-05T08:27:39Z
Good catch for withdrawableOf, we'll make it external. However, tokenURI cannot be made external since it's inherited from the standard ERC721 interface where it defined as public, and thus cannot be overridden and changed. Slither doesn't take this into account.
#1 - deluca-mike
2022-01-09T10:27:20Z
Duplicate #6
π Selected for report: agusduha
Also found by: 0xsanson, Czar102, Dravee, GiveMeTestEther, WatchPug, p4st13r4, saian, sirhashalot
4.7941 USDC - $4.79
agusduha
MAX_TOTAL_XDEFI_SUPPLY has always the same value and is used only in one place, it should be constant to optimize gas
Variable declaration: https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L14
Variable utilization: https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L255
Manual analysis
Add the "constant" keyword to the storage variable declaration
#0 - deluca-mike
2022-01-05T08:42:38Z
Yup, good catch. However this variable is being removed anyway. Still valid though.
#1 - deluca-mike
2022-01-13T21:51:24Z
You can see in the release candidate contract, that MAX_TOTAL_XDEFI_SUPPLY has been removed, and amount_ is not longer checked to be greater than zero or less than MAX_TOTAL_XDEFI_SUPPLY, but rather that resulting units are sufficient: https://github.com/XDeFi-tech/xdefi-distribution/blob/v1.0.0-rc.0/contracts/XDEFIDistribution.sol#L333
37.3718 USDC - $37.37
agusduha
In "setLockPeriods" function, there is a loop that depends on two arrays but there is no check for same lengths between them. This could cause the function to revert or unwanted results.
setLockPeriods: https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L77-L85
Manual analysis
Add a check for the arrays length to be equal
#0 - deluca-mike
2022-01-05T19:20:50Z
If there are more multipliers than durations, then the extra multipliers are ignored. If there are more durations than multipliers, then the function will revert anyway. Further, if the admin did make a mistake, they can just call the function again. This is no a no-risk.
#1 - deluca-mike
2022-01-09T10:38:49Z
Duplicate #38