Back to d3e4's contests

Juicebox Buyback Delegate - d3e4's results

Thousands of projects use Juicebox to fund, operate, and scale their ideas & communities transparently on Ethereum.

General Information

Platform: Code4rena

Start Date: 18/05/2023

Pot Size: $24,500 USDC

Total HM: 3

Participants: 72

Period: 4 days

Judge: LSDan

Id: 237

League: ETH

Juicebox

Findings Distribution

Researcher Performance

Rank: 30/72

Findings: 1

Award: $16.19

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJuicebox

Findings Information

🌟 Selected for report: ABA

Also found by: 0x4non, 0xHati, 0xMosh, 0xSmartContract, 0xWaitress, 0xhacksmithh, 0xnev, 0xprinc, Arabadzhiev, BLACK-PANDA-REACH, Deekshith99, Dimagu, KKat7531, Kose, LosPollosHermanos, MohammedRizwan, QiuhaoLi, RaymondFam, Rickard, Rolezn, SAAJ, Sathish9098, Shubham, SmartGooofy, Tripathi, Udsen, V1235816, adriro, arpit, ayden, bigtone, codeVolcan, d3e4, dwward3n, fatherOfBlocks, favelanky, jovemjeune, kutugu, lfzkoala, lukris02, matrix_0wl, minhquanym, ni8mare, parsely, pxng0lin, radev_sw, ravikiranweb3, rbserver, sces60107, souilos, tnevler, turvy_fuzz, yellowBirdy

Awards

16.1907 USDC - $16.19

Labels

bug
grade-b
QA (Quality Assurance)
Q-01

External Links

Link to GitHub issue

No check that the Uniswap pool is wETH-projectToken

There is no check that the Uniswap pool set in the constructor actually is for wETH and projectToken. If it isn't it would break swap logic and even allow for a malicious pool or token to be called by this delegate. Consider at least checking that the tokens and pool match.

Use explicit WETH address

WETH is a specific and known contract. There is no reason to have to set it in the constructor. Consider hardcoding it instead:

- IWETH9 public immutable weth;
+ IWETH9 private constant weth = IWETH9(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);

Typos

Datasource -> Data source datasource -> data source per definition -> by definition controle -> control toke_beforeTransferTon - > token ? receive -> receives send -> sends burn -> burns mint -> mints burn -> burns sending back the token in in the terminal - > sending back the token in to the terminal

Spell out fc as funding cycle

It may be difficult to know that 'fc' stands for 'funding cycle'. Instances: https://github.com/code-423n4/2023-05-juicebox/blob/9d0458282511ff269b3b35b5b082b56d5cc08663/juice-buyback/contracts/JBXBuybackDelegate.sol#L191 https://github.com/code-423n4/2023-05-juicebox/blob/9d0458282511ff269b3b35b5b082b56d5cc08663/juice-buyback/contracts/JBXBuybackDelegate.sol#L251 https://github.com/code-423n4/2023-05-juicebox/blob/9d0458282511ff269b3b35b5b082b56d5cc08663/juice-buyback/contracts/JBXBuybackDelegate.sol#L337

Barbarismus

"CONTRACTVS" accusativus masculinus pluralis est, itaque "MEAM" sit "MEOS". Aut in singulari "CONTRACTUM MEUM".

#0 - c4-judge

2023-06-02T11:07:36Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter