Platform: Code4rena
Start Date: 26/07/2022
Pot Size: $75,000 USDC
Total HM: 29
Participants: 179
Period: 6 days
Judge: LSDan
Total Solo HM: 6
Id: 148
League: ETH
Rank: 122/179
Findings: 4
Award: $39.84
๐ Selected for report: 0
๐ Solo Findings: 0
๐ Selected for report: cloudjunky
Also found by: 0x1f8b, 0x4non, 0x52, 0xDjango, 0xHarry, 0xNazgul, 0xNineDec, 0xf15ers, 0xsanson, 0xsolstars, 8olidity, Bnke0x0, CertoraInc, Chom, Deivitto, Dravee, GalloDaSballo, GimelSec, IllIllI, Jmaxmanblue, JohnSmith, Jujic, Kenshin, Krow10, Lambda, MEP, Noah3o6, RedOneN, Ruhum, StErMi, StyxRave, TomJ, Treasure-Seeker, TrungOre, _Adam, __141345__, arcoun, asutorufos, bardamu, bearonbike, bin2chen, brgltd, bulej93, c3phas, cRat1st0s, carlitox477, cccz, codexploder, cryptonue, cryptphi, cthulhu_cult, dharma09, dipp, djxploit, durianSausage, ellahi, giovannidisiena, hansfriese, horsefacts, hyh, immeas, indijanc, jayjonah8, jayphbee, joestakey, kenzo, kyteg, ladboy233, minhquanym, navinavu, obront, oyc_109, peritoflores, rbserver, reassor, rokinot, rotcivegaf, saian, scaraven, shenwilly, simon135, sseefried, teddav, zzzitron
0.0037 USDC - $0.00
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L151-L156
The use of the deprecated transfer() function will inevitably make the transaction fail when:
More over, using higher than 2300 gas might be mandatory for some multisig wallets.
transfer() and send() use a hardcoded gas amount.payEther() function is using transfer (with fixed stipend 2300 gas)payEther() is being used in multiple occasions for transfering native coin to some address for fees, payments and shares.Using call() instead of transfer()
#0 - KenzoAgada
2022-08-03T14:13:34Z
Duplicate of #343
๐ Selected for report: TomJ
Also found by: 0x4non, 0x52, 0xDjango, 0xNazgul, 0xf15ers, 0xsanson, 8olidity, Bnke0x0, CertoraInc, Ch_301, Chom, Dravee, GalloDaSballo, GimelSec, JC, Jujic, Kenshin, Kumpa, Lambda, M0ndoHEHE, PaludoX0, RedOneN, Ruhum, Sm4rty, Treasure-Seeker, TrungOre, Twpony, Waze, _Adam, __141345__, apostle0x01, arcoun, benbaessler, bin2chen, brgltd, cccz, cloudjunky, cryptonue, djxploit, ellahi, erictee, hansfriese, i0001, minhquanym, oyc_109, peritoflores, rbserver, reassor, rokinot, rotcivegaf, saian, shenwilly, sseefried
0.1513 USDC - $0.15
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L236 https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L301 https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L361
If the receiver of NFT transfered is a smart contract (could be a multisig) which does not implement the onERC721Received and do not have proper handling of ERC721 tokens, then the NFT would be lost if using transferFrom()
fillAsk() function calls transferFrom() on a ERC721 token (meanwhile, for ERC1155, it use safeTransferFrom()).transferFrom() function does not ensure the receiver is capable of proper handling of NFTs, this might resulting in the loss of the token.Call the safeTransferFrom() method instead of transferFrom() for NFT transfers.
#0 - KenzoAgada
2022-08-03T15:08:23Z
Duplicate of #342
๐ Selected for report: AuditsAreUS
Also found by: 0xSky, CertoraInc, GimelSec, GiveMeTestEther, Green, Lambda, Ruhum, RustyRabbit, Treasure-Seeker, Twpony, arcoun, bin2chen, cccz, codexploder, cryptonue, dipp, horsefacts, jayphbee, joestakey, minhquanym, obront, peritoflores, rbserver, reassor, rotcivegaf, scaraven, ych18
4.5163 USDC - $4.52
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L203-L271
The contract logic only make sure the ether send is equal or more than it should have, but unfortunately any excess amount is not calculated and returned to sender.
If user accidentally submit ether inside (msg.value) more than it should have, there is no refund over the overspent.
Therefore, since the contract doesn't have any external/public ether withdrawal function, therefore this excess will just stuck inside of contract forever.
This pattern, making sure that contract only takes what it should take, and return the excess to the sender should be standard and implemented by all contract developer who is accepting deposit on their contract.
There should be a calculation to check if there is overspend amount after all required cut of the fillAsk() function. This remaining (excess) amount should return back to the sender.
#0 - KenzoAgada
2022-08-04T02:55:58Z
Duplicate of #75
๐ Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0xA5DF, 0xDjango, 0xLovesleep, 0xNazgul, 0xNineDec, 0xSmartContract, 0xackermann, 0xc0ffEE, 0xf15ers, 0xmatt, 0xsanson, 0xsolstars, 8olidity, AuditsAreUS, Bahurum, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chom, CryptoMartian, Deivitto, DevABDee, Dravee, ElKu, Franfran, Funen, GalloDaSballo, GimelSec, GiveMeTestEther, Green, JC, Jmaxmanblue, JohnSmith, Jujic, Junnon, Kenshin, Krow10, Kumpa, Lambda, MEP, Maxime, MiloTruck, Mohandes, NoamYakov, Picodes, RedOneN, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, Soosh, StErMi, StyxRave, Tadashi, TomJ, Treasure-Seeker, TrungOre, Waze, _Adam, __141345__, ajtra, ak1, apostle0x01, arcoun, asutorufos, async, benbaessler, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, carlitox477, chatch, codetilda, codexploder, cryptonue, cryptphi, csanuragjain, cthulhu_cult, delfin454000, dipp, dirk_y, djxploit, ellahi, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, horsefacts, hyh, idkwhatimdoing, indijanc, jayfromthe13th, jayphbee, joestakey, kenzo, kyteg, lucacez, luckypanda, mics, minhquanym, obront, oyc_109, pedr02b2, rajatbeladiya, rbserver, reassor, robee, rokinot, rotcivegaf, sach1r0, saian, saneryee, sashik_eth, scaraven, shenwilly, simon135, sseefried, supernova, teddav, ych18, zuhaibmohd, zzzitron
35.1687 USDC - $35.17
Missing Zero address check
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L154
Check that the address is zero
Unused code can give an assumption at programming or architectural errors.
The GolomAirdrop contract includes minLockDuration variable that is never used anywhere (except setting its value)
Use it or remove it.
_hashOrder() & _hashOrderinternal() functionUnnecessary code can give an assumption at programming or architectural errors, and might increase gas usage.
The GolomTrader.sol and Emitter.sol contracts includes _hashOrder and _hashOrderinternal. This two functions are just a redundant code, we can just merge into a single function.
just remove the _hashOrderinternal() function, and move its logic to _hashOrder() and create the extra as memory variable
function _hashOrder(Order calldata o) private pure returns (bytes32) { uint256[2] memory extra = [o.nonce, o.deadline]; return keccak256( abi.encode( keccak256( 'order(address collection,uint256 tokenId,address signer,uint256 orderType,uint256 totalAmt,payment exchange,payment prePayment,bool isERC721,uint256 tokenAmt,uint256 refererrAmt,bytes32 root,address reservedAddress,uint256 nonce,uint256 deadline)payment(uint256 paymentAmt,address paymentAddress)' ), o.collection, o.tokenId, o.signer, o.orderType, o.totalAmt, hashPayment(o.exchange), hashPayment(o.prePayment), o.isERC721, o.tokenAmt, o.refererrAmt, o.root, o.reservedAddress, extra ) ); }
RewardDistribution.sol:
explain/put comment with correct meaning of the following code.
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/rewards/RewardDistributor.sol#L9
import 'hardhat/console.sol';
remove any unused import
There are some magic number showed on contract:
RewardDistributor.sol
rewardTrader[epoch] = ((tokenToEmit - stakerReward) * 67) / 100; rewardExchange[epoch] = ((tokenToEmit - stakerReward) * 33) / 100;
Should be stored inside a variable, or at least explained well what does it means