Back to chunter's contests

PoolTogether TWAB Delegator contest - chunter's results

A protocol for no loss prize savings on Ethereum

General Information

Platform: Code4rena

Start Date: 22/02/2022

Pot Size: $30,000 USDC

Total HM: 1

Participants: 22

Period: 3 days

Judge: leastwood

Id: 93

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 11/22

Findings: 1

Award: $146.56

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: CertoraInc

Also found by: Dravee, Rhynorater, chunter, gzeon, jayjonah8, robee

Labels

bug
QA (Quality Assurance)
sponsor acknowledged

Awards

146.5595 USDC - $146.56

External Links

Link to GitHub issue

https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/TWABDelegator.sol#L583 require(_delegator == msg.sender || representatives[_delegator][msg.sender], "TWABDelegator/not-dlgr-or-rep");

  • removes unnecessary comparison to true for mapping (false is default)
  • moves string length to beneath 32 bytes (34->29)

https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/TWABDelegator.sol lines: 617, 609, 600, 593, 401, 174 require strings should be adjusted so they are uniform ("adr" vs "addr") and consistent with other require statements in the file, stating what is wrong rather than what should be.

For example _requireLockDuration, _requireContract, _requireDelegationUnlocked, _requireDelegatorOrRepresentative functions all state that what the issue is with the provided input in their error string. Ex. _requireContract 's string is "not-a-contract" if the address is not a contract. Alternatively "dlgtr-not-zero-adr" states what the input should be for _requireDelegatorNotZeroAddress. _requireAmountGtZero Has a similar issue.

TWABDelegator/to-not-zero-addr -> TWABDelegator/to-zero-addr TWABDelegator/dlgtr-not-zero-adr -> TWABDelegator/dlgtr-zero-addr TWABDelegator/dlgt-not-zero-adr -> TWABDelegator/dlgt-zero-addr TWABDelegator/rep-not-zero-addr -> TWABDelegator/rep-zero-addr TWABDelegator/tick-not-zero-addr -> TWABDelegator/tick-zero-addr TWABDelegator/amount-gt-zero -> TWABDelegator/amount-lte-zero

#0 - PierrickGT

2022-03-01T00:32:58Z

  1. Has already been fixed in this commit: https://github.com/pooltogether/v4-twab-delegator/pull/20/commits/3311d6cd63c52b107b5855a8c7a26daeaa8944cb

  2. Despite the lack of uniformity for one require, dlgt-not-zero-adr, I actually think this is more descriptive and readable. For example, if we take TWABDelegator/to-not-zero-addr, we require the passed to address to not be the zero address.

So in this fashion, I've renamed TWABDelegator/dlgt-not-zero-adr to TWABDelegator/dlgt-not-zero-addr, since we are still respecting the 32 characters limit for gas efficiency, in the following PR: https://github.com/pooltogether/v4-twab-delegator/pull/22

About TWABDelegator/amount-gt-zero it doesn't make sense to change it to TWABDelegator/amount-lte-zero since the comparison is _amount > 0.

For the above reasons, I've acknowledged the issue but we are actually not implementing the recommended changes.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter