Platform: Code4rena
Start Date: 27/10/2022
Pot Size: $33,500 USDC
Total HM: 8
Participants: 96
Period: 3 days
Judge: kirk-baird
Total Solo HM: 1
Id: 176
League: ETH
Rank: 24/96
Findings: 2
Award: $192.16
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: robee
Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas
180.6401 USDC - $180.64
endTimestamp > block.timestamp check leads to reverted transactionnewEndTimestamp < oldEndTimestampremainingDuration > 0 checkendTimestamp > block.timestamp check leads to reverted transactionL237: uint256 boostDuration = endTimestamp - block.timestamp; // @audit: revert if endTimestamp <= block.timestamp L256: uint256 slope = amount / boostDuration;
Recommend adding check endTimestamp > block.timestamp
L234: if(endTimestamp <= block.timestamp || endTimestamp > pledgeParams.endTimestamp || endTimestamp != _getRoundedTimestamp(endTimestamp)) revert Errors.InvalidEndTimestamp();
newEndTimestamp < oldEndTimestampnewEndTimestamp = oldEndTimestamp is not valid
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L383
Recommend more inclusive check:
newEndTimestamp <= oldEndTimestamp
remainingDuration > 0 checkMissing this check leads to totalRewardAmount = 0 and get reverted later
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L430
L430: uint256 remainingDuration = pledgeParams.endTimestamp - block.timestamp; L432: uint256 totalRewardAmount = (rewardPerVoteDiff * pledgeParams.votesDifference * remainingDuration) / UNIT;
Recommend adding the following check:
if(remainingDuration == 0) revert ... ;
It's quite annoying reading a same line twice many times
Recommend deleting all duplicates
Recommend correcting Natpec balacne -> balance, feeamount -> feeAmount, ot -> to, reards -> rewards
#0 - c4-judge
2022-11-12T00:11:03Z
kirk-baird marked the issue as grade-a
🌟 Selected for report: c3phas
Also found by: 0x1f8b, 0xNazgul, 0xRoxas, 0xSmartContract, 0xbepresent, Amithuddar, Awesome, B2, Bnke0x0, Dravee, KoKo, Mathieu, Picodes, RaymondFam, RedOneN, ReyAdmirado, RockingMiles, Ruhum, SadBase, SooYa, Waze, __141345__, adriro, ajtra, ballx, carlitox477, ch0bu, cylzxje, djxploit, durianSausage, emrekocak, erictee, gogo, halden, horsefacts, imare, indijanc, karanctf, leosathya, lukris02, neko_nyaa, oyc_109, peiw, sakman, shark, skyle, tnevler
11.5153 USDC - $11.52
storage instead of memory for pledgeParamsslopepayable for onlyOwner function!= instead of <storage instead of memorySince this variable accessing storage it's more gas efficient to declare it as storage
Recommend changing from memory to storage
Pledge storage pledgeParams = pledges[pledgeId];
slopeslop isn't used anywhere outside function _pledge()
L256-257: uint256 slope = amount / boostDuration; uint256 bias = slope * boostDuration;
Recommend changing to uint256 bias = amount / boostDuration * boostDuration;
payable for onlyOwner functionSince these functions are only for developers onlyOwner, the chances of accidentally sending ETH are very low
Recommend marking these functions payable to save some gas
!= instead of <Optimize for loop (not in automated findings)
Recommend changing to:
for(uint256 i; i != length;)
#0 - c4-judge
2022-11-12T00:10:41Z
kirk-baird marked the issue as grade-b