Back to chrisdior4's contests

Holograph contest - chrisdior4's results

Omnichain protocol for deploying, minting, & bridging NFTs between blockchains.

General Information

Platform: Code4rena

Start Date: 18/10/2022

Pot Size: $75,000 USDC

Total HM: 27

Participants: 144

Period: 7 days

Judge: gzeon

Total Solo HM: 13

Id: 170

League: ETH

Holograph

Findings Distribution

Researcher Performance

Rank: 118/144

Findings: 2

Award: $0.00

QA:
grade-c
Gas:
grade-c

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryHolograph

Findings Information

🌟 Selected for report: Rolezn

Also found by: 0x1f8b, 0x52, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xhunter, 0xzh, 8olidity, Amithuddar, Aymen0909, B2, Bnke0x0, Chom, Deivitto, Diana, Diraco, Dravee, Franfran, JC, Jeiwan, Josiah, JrNet, Jujic, KingNFT, KoKo, Lambda, Margaret, Migue, Ocean_Sky, PaludoX0, Picodes, Rahoz, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Shinchan, Tagir2003, Trust, Waze, Yiko, __141345__, a12jmx, adriro, ajtra, arcoun, aysha, ballx, bin2chen, bobirichman, brgltd, bulej93, catchup, catwhiskeys, caventa, cccz, cdahlheimer, ch0bu, chaduke, chrisdior4, cloudjunky, cryptostellar5, cryptphi, csanuragjain, cylzxje, d3e4, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, hansfriese, i_got_hacked, ignacio, imare, karanctf, kv, leosathya, louhk, lukris02, lyncurion, m_Rassska, malinariy, martin, mcwildy, mics, minhtrng, nicobevi, oyc_109, pashov, peanuts, pedr02b2, peiw, rbserver, ret2basic, rotcivegaf, rvierdiiev, ryshaw, sakman, sakshamguruji, saneryee, securerodd, seyni, sikorico, svskaushik, teawaterwire, tnevler, w0Lfrum

Awards

0 USDC - $0.00

Labels

bug
QA (Quality Assurance)
edited-by-warden
responded
grade-c

External Links

Link to GitHub issue

Missing events 

Events are missing despite that the function is changing the state and it is best practice this to be registrated via an event emitting.

File: HolographGenesis.sol
  1. function deploy( uint256 chainId, bytes12 saltHash, bytes memory sourceCode, bytes memory initCode ) external onlyDeployer { require(chainId == block.chainid, "HOLOGRAPH: incorrect chain id"); bytes32 salt = bytes32(abi.encodePacked(msg.sender, saltHash)); address contractAddress = address( uint160(uint256(keccak256(abi.encodePacked(bytes1(0xff), address(this), salt, keccak256(sourceCode))))) ); require(!_isContract(contractAddress), "HOLOGRAPH: already deployed"); assembly { contractAddress := create2(0, add(sourceCode, 0x20), mload(sourceCode), salt) } require(_isContract(contractAddress), "HOLOGRAPH: deployment failed"); require( InitializableInterface(contractAddress).init(initCode) == InitializableInterface.init.selector, "HOLOGRAPH: initialization failed" );

1.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographGenesis.sol#L124

========================================

2.function approveDeployer(address newDeployer, bool approve) external onlyDeployer { _approvedDeployers[newDeployer] = approve; } 2.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographGenesis.sol#L146

Code Style: constants should be named in all caps

Here are some examples that the code style does not follow the best practices:

File: HolographBridge.sol

1.bytes32 constant _factorySlot = 0xa49f20855ba576e09d13c8041c8039fa655356ea27f6c40f1ec46a4301cd5b23; 1.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographBridge.sol#L126

1.Consider changing the name to: FACTORY_SLOT

File: HolographTreasury.sol

2.bytes32 constant _holographSlot = 0xb4107f746e9496e8452accc7de63d1c5e14c19f510932daa04077cd49e8bd77a; 2.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographTreasury.sol#L133

2.Consider changing the name to: HOLOGRAPH_SLOT

Conditions should be inclusive

Conditions should be >= or <= instead of only < or >, otherwise, these functions will fail.

File: HolographBridge.sol

1.if (gasPrice < type(uint256).max && gasLimit < type(uint256).max) { 1.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographBridge.sol#L381

Consider changing it to:

1.if (gasPrice <= type(uint256).max && gasLimit <= type(uint256).max) {

Findings Information

🌟 Selected for report: oyc_109

Also found by: 0x040, 0x1f8b, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xsam, 0xzh, 2997ms, Amithuddar, Aymen0909, B2, Bnke0x0, Deivitto, Diana, Dinesh11G, Franfran, JC, JrNet, Jujic, KingNFT, KoKo, Mathieu, Metatron, Mukund, Olivierdem, PaludoX0, Pheonix, Picodes, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Saintcode_, Satyam_Sharma, Shinchan, Tagir2003, Tomio, Waze, Yiko, __141345__, adriro, ajtra, aysha, ballx, beardofginger, bobirichman, brgltd, bulej93, catchup, catwhiskeys, cdahlheimer, ch0bu, chaduke, chrisdior4, cryptostellar5, cylzxje, d3e4, delfin454000, dharma09, djxploit, durianSausage, emrekocak, erictee, exolorkistis, fatherOfBlocks, gianganhnguyen, gogo, halden, hxzy, i_got_hacked, iepathos, karanctf, leosathya, lucacez, lukris02, lyncurion, m_Rassska, martin, mcwildy, mics, nicobevi, peanuts, peiw, rbserver, ret2basic, rotcivegaf, ryshaw, sakman, sakshamguruji, saneryee, sikorico, skyle, svskaushik, tnevler, vv7, w0Lfrum, zishansami

Awards

0 USDC - $0.00

Labels

bug
G (Gas Optimization)
sponsor confirmed
responded
grade-c

External Links

Link to GitHub issue

<x>+= <y> COSTS MORE GAS THAN  <x>= <x>+ <y> FOR STATE VARIABLES</y></x></x></y></x>

Using the addition operator instead of plus-equals saves 113 gas

File: HolographFactory.sol

1.v += 27; 1.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographFactory.sol#L328

Showing how the change should be done for every other instances from this finding
The change would be:

1.v = v + 27;

File: HolographOperator.sol

2._bondedAmounts[job.operator] -= amount; 2.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L378

3.position -= threshold; 3.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L1175

4._bondedAmounts[msg.sender] += amount; 4.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L382

5._bondedAmounts[operator] += amount; 5.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L834

6.current += (current / _operatorThresholdDivisor) * (position / _operatorThresholdStep); 6.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L1177

INCREMENTS/DECREMENTS CAN BE UNCHECKED IN FOR-LOOPS

In Solidity 0.8+, there’s a default overflow check on unsigned integers. It’s possible to uncheck this in for-loops and save some gas at each iteration, but at the cost of some code readability, as this uncheck cannot be made inline.

Consider wrapping with an unchecked block here (around 25 gas saved per instance):

File: HolographInterfaces.sol

1.for (uint256 i = 0; i < uriTypes.length; i++) { 1.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographInterfaces.sol#L235

Showing how the change should be done for every other instances from this finding
The change would be:
  • for (uint256 i; i < uriTypes.length) { // ...
  • unchecked { ++i; }

2.for (uint256 i = 0; i < length; i++) { 2.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographInterfaces.sol#L264

3.for (uint256 i = 0; i < interfaceIds.length; i++) { 3.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographInterfaces.sol#L286

File: HolographOperator.sol

4.for (uint256 i = 0; i < length; i++) { 4.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L781

5.for (uint256 i = _operatorPods.length; i <= pod; i++) { 5.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L871

File: HolographRegistry.sol

6.for (uint256 i = 0; i < reservedTypes.length; i++) { 6.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographRegistry.sol#L175

7.for (uint256 i = 0; i < length; i++) { 7.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographRegistry.sol#L255

8.for (uint256 i = 0; i < hashes.length; i++) { 8.https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographRegistry.sol#L322

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter