Platform: Code4rena
Start Date: 06/09/2022
Pot Size: $90,000 USDC
Total HM: 33
Participants: 168
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 10
Id: 157
League: ETH
Rank: 129/168
Findings: 1
Award: $60.77
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Lambda
Also found by: 0x1337, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 8olidity, Aymen0909, B2, Bnke0x0, CRYP70, Captainkay, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, ElKu, EthLedger, Franfran, Funen, GimelSec, JansenC, Jeiwan, Jujic, Lead_Belly, MEP, MasterCookie, MiloTruck, Noah3o6, PPrieditis, PaludoX0, Picodes, PwnPatrol, R2, Randyyy, RaymondFam, Respx, ReyAdmirado, Rolezn, Samatak, Tointer, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ak1, asutorufos, azephiar, ballx, bharg4v, bin2chen, bobirichman, brgltd, bulej93, c3phas, cccz, ch0bu, cloudjunky, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, davidbrai, delfin454000, dharma09, dic0de, dipp, djxploit, eierina, erictee, fatherOfBlocks, gogo, hansfriese, hyh, imare, indijanc, izhuer, jonatascm, ladboy233, leosathya, lucacez, lukris02, m9800, martin, minhtrng, ne0n, neumo, oyc_109, p_crypt0, pashov, pauliax, pcarranzav, pedr02b2, peritoflores, pfapostol, rbserver, ret2basic, robee, rvierdiiev, sach1r0, sahar, scaraven, sikorico, simon135, slowmoses, sorrynotsorry, tnevler, tonisives, volky, yixxas, zkhorse, zzzitron
60.7742 USDC - $60.77
Calls inside a loop might lead to a denial-of-service attack.
Treasury.execute(address[],uint256[],bytes[],bytes32) (src/governance/treasury/Treasury.sol#141-172) has external calls inside a loop: (success) = _targets[i].call{value: _values[i]}(_calldatas[i]) (src/governance/treasury/Treasury.sol#164) Token._mint(address,uint256) (src/token/Token.sol#167-173) has external calls inside a loop: ! settings.metadataRenderer.onMinted(_tokenId) (src/token/Token.sol#172)
Manager.constructor(address,address,address,address,address)._auctionImpl (src/manager/Manager.sol#58) lacks a zero-check on : - auctionImpl = _auctionImpl (src/manager/Manager.sol#64) Manager.constructor(address,address,address,address,address)._treasuryImpl (src/manager/Manager.sol#59) lacks a zero-check on : - treasuryImpl = _treasuryImpl (src/manager/Manager.sol#65) Manager.constructor(address,address,address,address,address)._governorImpl (src/manager/Manager.sol#60) lacks a zero-check on : - governorImpl = _governorImpl (src/manager/Manager.sol#66)
Reentrancy in Manager.deploy(IManager.FounderParams[],IManager.TokenParams,IManager.AuctionParams,IManager.GovParams) (src/manager/Manager.sol#97-147): External calls: - token = address(new ERC1967Proxy(tokenImpl,)) (src/manager/Manager.sol#120) - metadata = address(new ERC1967Proxy(metadataImpl,)) (src/manager/Manager.sol#126) - auction = address(new ERC1967Proxy(auctionImpl,)) (src/manager/Manager.sol#127) - treasury = address(new ERC1967Proxy(treasuryImpl,)) (src/manager/Manager.sol#128) - governor = address(new ERC1967Proxy(governorImpl,)) (src/manager/Manager.sol#129) - IToken(token).initialize(_founderParams,_tokenParams.initStrings,metadata,auction) (src/manager/Manager.sol#132) - IBaseMetadata(metadata).initialize(_tokenParams.initStrings,token,founder,treasury) (src/manager/Manager.sol#133) - IAuction(auction).initialize(token,founder,treasury,_auctionParams.duration,_auctionParams.reservePrice) (src/manager/Manager.sol#134) - ITreasury(treasury).initialize(governor,_govParams.timelockDelay) (src/manager/Manager.sol#135) - IGovernor(governor).initialize(treasury,token,founder,_govParams.votingDelay,_govParams.votingPeriod,_govParams.proposalThresholdBps,_govParams.quorumThresholdBps) (src/manager/Manager.sol#136-144) Event emitted after the call(s): - DAODeployed(token,metadata,auction,treasury,governor) (src/manager/Manager.sol#146)
Dangerous usage of block.timestamp. block.timestamp can be manipulated by miners.
Treasury.isExpired(bytes32) (src/governance/treasury/Treasury.sol#74-78) uses timestamp for comparisons Dangerous comparisons: - block.timestamp > (timestamps[_proposalId] + settings.gracePeriod) (src/governance/treasury/Treasury.sol#76) Treasury.isQueued(bytes32) (src/governance/treasury/Treasury.sol#82-84) uses timestamp for comparisons Dangerous comparisons: - timestamps[_proposalId] != 0 (src/governance/treasury/Treasury.sol#83)
(success) = _targets[i].call{value: _values[i]}(_calldatas[i]) (src/governance/treasury/Treasury.sol#164)
Parameter Token.tokenURI(uint256)._tokenId (src/token/Token.sol#221) is not in mixedCase Parameter Token.getFounder(uint256)._founderId (src/token/Token.sol#246) is not in mixedCase Parameter Token.getScheduledRecipient(uint256)._tokenId (src/token/Token.sol#270) is not in mixedCase
onERC721Received(address,address,uint256,bytes) should be declared external: - Treasury.onERC721Received(address,address,uint256,bytes) (src/governance/treasury/Treasury.sol#237-244) onERC1155Received(address,address,uint256,uint256,bytes) should be declared external: - Treasury.onERC1155Received(address,address,uint256,uint256,bytes) (src/governance/treasury/Treasury.sol#247-255) onERC1155BatchReceived(address,address,uint256[],uint256[],bytes) should be declared external:
#0 - GalloDaSballo
2022-09-26T21:04:45Z
0 adress -> 1 L
rest is invalid