Back to alexzoid's contests

PoolTogether - alexzoid's results

A protocol for no-loss prize savings

General Information

Platform: Code4rena

Start Date: 07/07/2023

Pot Size: $121,650 USDC

Total HM: 36

Participants: 111

Period: 7 days

Judge: Picodes

Total Solo HM: 13

Id: 258

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 98/111

Findings: 1

Award: $15.92

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: bin2chen

Also found by: 0x11singh99, 0xWaitress, 0xbepresent, ABAIKUNANBAEV, ArmedGoose, Bauchibred, DadeKuma, GREY-HAWK-REACH, GalloDaSballo, Inspecktor, Jeiwan, Kaysoft, MohammedRizwan, Rolezn, Vagner, alexzoid, alymurtazamemon, ayden, banpaleo5, catellatech, dacian, erebus, eyexploit, fatherOfBlocks, grearlake, joaovwfreire, keccak123, kutugu, lanrebayode77, markus_ether, nadin, naman1778, rvierdiiev, squeaky_cactus, volodya, yixxas

Awards

15.9228 USDC - $15.92

Labels

bug
grade-b
QA (Quality Assurance)
Q-06

External Links

Link to GitHub issue

[01] Unused Import

An import statement is present in the source file, but the imported file is not used:

import { LiquidationPair } from "v5-liquidator/LiquidationPair.sol";
import { toWadUnsafe, unsafeWadDiv } from "solmate/utils/SignedWadMath.sol";
import { toSD59x18, fromSD59x18 } from "prb-math/SD59x18.sol";
import { UD2x18, intoUD60x18 } from "prb-math/UD2x18.sol";
import { SD1x18, unwrap, UNIT } from "prb-math/SD1x18.sol";
import { toUD34x4 } from "../libraries/UD34x4.sol";
import { fromUD60x18 } from "prb-math/UD60x18.sol";
import { uMAX_UD60x18 } from "prb-math/UD60x18.sol";
import { toSD59x18, fromSD59x18 } from "prb-math/SD59x18.sol";
import { UD60x18, intoSD59x18 } from "prb-math/UD60x18.sol";
import { fromUD60x18 as fromUD60x18toUD34x4, intoUD60x18 as fromUD34x4toUD60x18, toUD34x4 } from "./libraries/UD34x4.sol";

To optimize the code and avoid redundancy, remove the unnecessary import.

[02] Constructor's Input Parameters Check

The _minimumFee and _maximumFee parameters of the constructor() function at https://github.com/GenerationSoftware/pt-v5-claimer/blob/57a381aef690a27c9198f4340747155a71cae753/src/Claimer.sol#L47-L49 does not have any checks. Add check that _maximumFee is greater or equal to _minimumFee. For example:

require(_maximumFee >= _minimumFee, "Invalid max fee");

Consider adding these checks to ensure that input parameters are within the expected range.

[03] Getter for allVaults array

In the VaultFactory contract, the allVaults variable serves to store the addresses of all vaults deployed by this factory. While the totalVaults() function allows external contracts to know the total count of these vaults, it does not provide direct access to their addresses.

To provide an interface for accessing all vault addresses, we suggest adding a getter function for the allVaults array. This function can return the entire list of vaults, enabling other contracts to interact with this data:

function getAllVaults() external view returns (Vault[] memory) {
    return allVaults;
}

[04] Function documentation omitted

Missed documentation for _isCanaryTier() function at line https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/abstract/TieredLiquidityDistributor.sol#L604

  function _isCanaryTier(uint8 _tier, uint8 _numberOfTiers) internal pure returns (bool) {

_checkValidTier() function at line https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L753

[05] Function parameter documentation omitted

Missed documentation for parameters in contributePrizeTokens() function at line https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L311

getTotalContributedBetween(), getContributedBetween(), getTierAccrualDurationInDraws() functions at lines https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L518-L554

_prizeIndex parameter in isWinner() at line https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L660

_prizeIndex, _vaultPortion, _tierOdds, _drawDuration parameters in _isWinner() at line https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L842

#0 - c4-judge

2023-07-18T19:11:56Z

Picodes marked the issue as grade-b

#1 - PierrickGT

2023-08-18T23:50:06Z

Fixed the various issues in these PRs: https://github.com/GenerationSoftware/pt-v5-prize-pool/pull/41 https://github.com/GenerationSoftware/pt-v5-claimer/pull/11 https://github.com/GenerationSoftware/pt-v5-vault/pull/30

01 - Some imports were already removed. 02 - Has already been fixed. 03 - allVaults is a public function, so even without a getter function, Vault addresses are retrievable. 04 - Fixed 05 - Fixed

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter