Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 66/72
Findings: 1
Award: $36.34
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RaymondFam
Also found by: 0x1f8b, 0x52, 0xSmartContract, 0xc0ffEE, 0xhacksmithh, 8olidity, Awesome, BClabs, Bnke0x0, Chom, Deivitto, Hashlock, IllIllI, Josiah, KingNFT, Nyx, R2, ReyAdmirado, Rolezn, SamGMK, Sathish9098, SinceJuly, V_B, Vadis, Waze, a12jmx, adriro, ajtra, aphak5010, bearonbike, bin, brgltd, carlitox477, carrotsmuggler, cccz, ch0bu, chaduke, datapunk, delfin454000, erictee, fatherOfBlocks, fs0c, horsefacts, jayphbee, ktg, ladboy233, pashov, perseverancesuccess, rbserver, ret2basic, tnevler, zaskoh
36.3434 USDC - $36.34
| Risk | Title | File | Instances |
|---|---|---|---|
| L-00 | Children of OwnableTwoSteps should set delay | OwnableTwoSteps.sol | - |
| N-00 | Unlocked pragma | - | 11 |
| N-01 | Different compiler versions | - | 11 |
| N-02 | Event is missing indexed fields | - | 8 |
In the OwnableTwoSteps contract, function _setupDelayForRenouncingOwnership it is stated that "This function is expected to be included in the constructor of the contract that inherits this contract.".
The OwnableTwoSteps contract is inherited by TokenRescuer which in turn is inherited by LooksRareProxy, SeaportProxy and LooksRareAggregator.
None of the children calls the _setupDelayForRenouncingOwnership function in their constructor.
This means there is no timelock to renounce ownership.
It is considered best practice to use a locked Solidity version, thereby only allowing compilation with a specific version.
There are 11 instances of this.
Across the repository, there are 3 different pragmas used:
0.8.17, ^0.8.14 and ^0.8.0.
While all three can be compiled with the same Solidity version (0.8.17), it is best practice to use a single pragme consistenly in all files.
So consider using 0.8.17 for all files.
There are 11 instances of files that use a different pragma:
Each event should use three indexed fields if it has three or more fields.
There are 8 instances of events that do not have 3 indexed fields.
#0 - c4-judge
2022-11-21T19:50:27Z
Picodes marked the issue as grade-b
#1 - 0xhiroshi
2022-11-23T00:00:54Z
Addressed in other issues
#2 - 0xhiroshi
2022-11-23T10:22:53Z
Update: L-00 is valid, we are going to set up delay in LooksRareAggregator's constructor and we are going to remove TokenRescuer from all proxies, they are not required anymore as they are only being delegatecall into (We used to use call instead of delegatecall)
#3 - 0xhiroshi
2022-11-23T10:23:10Z
@0xJurassicPunk ☝️
#4 - c4-sponsor
2022-11-25T00:20:00Z
0xhiroshi requested judge review