Platform: Code4rena
Start Date: 26/07/2022
Pot Size: $75,000 USDC
Total HM: 29
Participants: 179
Period: 6 days
Judge: LSDan
Total Solo HM: 6
Id: 148
League: ETH
Rank: 73/179
Findings: 2
Award: $139.18
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: codexploder
Also found by: 0x1f8b, 0xNineDec, 0xsanson, RustyRabbit, Treasure-Seeker, berndartmueller, chatch, teddav
104.014 USDC - $104.01
Judge has assessed an item in Issue #964 as Medium risk. The relevant finding follows:
Non-critical: EIP712 signatures on GolomTrader could be replayed in case of blockchain forks The chainId is burnt into EIP712_DOMAIN_TYPEHASH rather than checked each time.
This means that signatures could be replayed on a forked chain.
See how OpenZeppelin handles this case with _domainSeparatorV4 which is actually being used by the GolomToken.sol via ERC20Votes.
#0 - dmvt
2022-10-21T13:55:41Z
Duplicate of #391
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0xA5DF, 0xDjango, 0xLovesleep, 0xNazgul, 0xNineDec, 0xSmartContract, 0xackermann, 0xc0ffEE, 0xf15ers, 0xmatt, 0xsanson, 0xsolstars, 8olidity, AuditsAreUS, Bahurum, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chom, CryptoMartian, Deivitto, DevABDee, Dravee, ElKu, Franfran, Funen, GalloDaSballo, GimelSec, GiveMeTestEther, Green, JC, Jmaxmanblue, JohnSmith, Jujic, Junnon, Kenshin, Krow10, Kumpa, Lambda, MEP, Maxime, MiloTruck, Mohandes, NoamYakov, Picodes, RedOneN, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, Soosh, StErMi, StyxRave, Tadashi, TomJ, Treasure-Seeker, TrungOre, Waze, _Adam, __141345__, ajtra, ak1, apostle0x01, arcoun, asutorufos, async, benbaessler, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, carlitox477, chatch, codetilda, codexploder, cryptonue, cryptphi, csanuragjain, cthulhu_cult, delfin454000, dipp, dirk_y, djxploit, ellahi, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, horsefacts, hyh, idkwhatimdoing, indijanc, jayfromthe13th, jayphbee, joestakey, kenzo, kyteg, lucacez, luckypanda, mics, minhquanym, obront, oyc_109, pedr02b2, rajatbeladiya, rbserver, reassor, robee, rokinot, rotcivegaf, sach1r0, saian, saneryee, sashik_eth, scaraven, shenwilly, simon135, sseefried, supernova, teddav, ych18, zuhaibmohd, zzzitron
35.1687 USDC - $35.17
In GolomTrader.payEther - https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L154
transfer is not recommended du to possibility of gas prices changing in future.
Removing this will save on deployment gas.
Consider using the hardhat plugin https://www.npmjs.com/package/hardhat-log-remover which helps to strip these out.
Consider checking that _distributor has bytecode by using OpenZeppelin's Address.isContract
Consider using @return natspec comment for each of the return varilables.
Also added a name for each under returns instead of just the types there will increase code readability.
Fixing the version at 0.8.11 will ensure that the testing AND deployment are both done with 0.8.11. It will also be consistent with most of the other contracts in the repository.
Implementing supportsInterface will improve user experience as wallets, block explorers, indexers etc. can see and show the contract implements ERC20 and ERC2612 (and ERC165 itself).
The chainId is burnt into EIP712_DOMAIN_TYPEHASH rather than checked each time.
This means that signatures could be replayed on a forked chain.
See how OpenZeppelin handles this case with _domainSeparatorV4 which is actually being used by the GolomToken.sol via ERC20Votes.
No events are emitted for the following significant actions in GolomToken:
mintAirdrop mintGenesisReward setMinter executeSetMinter
/// [MIT License]
BSD-3-Clause license in Compound to an MIT license however the BSD license should be retained.Additionally BSD requires the Copyright notice should be retained. In the case of Compound this is Copyright 2020 Compound Labs, Inc. and it's defined in the LICENSE file in the root of the repository: https://github.com/compound-finance/compound-protocol/blob/master/LICENSE