Platform: Code4rena
Start Date: 27/10/2022
Pot Size: $33,500 USDC
Total HM: 8
Participants: 96
Period: 3 days
Judge: kirk-baird
Total Solo HM: 1
Id: 176
League: ETH
Rank: 74/96
Findings: 1
Award: $19.64
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: robee
Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas
19.6449 USDC - $19.64
createPledge() functionalitySome tokens will revert on transfers for zero amount. If a token with this behavior is used WardenPledge, and protocolFeeRatio gets setted to zero, calls to createPledge() will revert.
There's no validation preventing protocolFeeRatio to be set to zero.
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L625-L631
If protocolFeeRatio gets set to zero, vars.feeAmount will be zero.
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L328
The transfer on L335 will revert.
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L335
Prevent protocolFeeRatio from receiving the value zero or add a conditional for IERC20(rewardToken).safeTransferFrom(creator, chestAddress, vars.feeAmount); to only be called if vars.feeAmount is not zero.
If a variable gets configured with address zero, failure to immediately reset the value can result in unexpected behavior for the project.
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L131-L143
WardenPledge is using v0.8.10. Consider using the latest stable version of solidity to ensure the compiler contains the latest security fixes.
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L2
The functions createPledge(), extendPledge() and increasePledgeRewardPerVote() are updating state variables after external transfer calls. Consider update the state variables before the external calls to follow the checks-effects-interactions pattern.
The state variable minDelegationTime can be declared as a constant.
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L79
The solidity documentation recommends the following order for functions:
constructor receive function (if exists) fallback function (if exists) external public internal private
Consider adopting the following strategy on the WardenPledge contract.
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L181
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L195
The solidity documentation recommends a maximum of 120 characters.
Consider adding a limit of 120 characters or less to prevent large lines.
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L234
#0 - c4-judge
2022-11-12T01:04:27Z
kirk-baird marked the issue as grade-b