Covalent contest - defsec's results

One unified API. One billion possibilities.

General Information

Platform: Code4rena

Start Date: 19/10/2021

Pot Size: $30,000 ETH

Total HM: 5

Participants: 13

Period: 3 days

Judge: GalloDaSballo

Total Solo HM: 4

Id: 43

League: ETH

Covalent

Findings Distribution

Researcher Performance

Rank: 12/13

Findings: 1

Award: $30.55

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Covalent

Findings Information

🌟 Selected for report: xYrYuYx

Also found by: WatchPug, defsec, harleythedog, pants, pauliax

Labels

bug

duplicate

G (Gas Optimization)

Awards

0.003 ETH - $10.71

External Links

Link to GitHub issue

Handle

defsec

Vulnerability details

Impact

This does not directly impact the smart contract in anyway besides cost. This is a gas optimization to reduce cost of smart contract. Calling each function, we can see that the public function uses 496 gas, while the external function uses only 261.

Proof of Concept

According to Slither Analyzer documentation (https://github.com/crytic/slither/wiki/Detector-Documentation#public-function-that-could-be-declared-external), there are functions in the contract that are never called. These functions should be declared as external in order to save gas.

Slither Detector:

external-function:

DelegatedStaking.sol

https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L90
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L101
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L214
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L257
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L269
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L304
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L345
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L355
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L368
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L386
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L393
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L409
https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L402

Tools Used

Slither

Recommended Mitigation Steps

Clone repository for Covalent Smart Contract.
Create a python virtual environment with a stable python version.
Install Slither Analyzer on the python VEM.
Run Slither against all contracts.
Define public functions as an external for the gas optimization.

#0 - kitti-katy
2021-10-21T20:43:47Z

duplicate of #2

#1 - GalloDaSballo
2021-11-01T17:02:19Z

Duplicate of #2

Findings Information

🌟 Selected for report: xYrYuYx

Also found by: cmichel, defsec, pants

Labels

bug

duplicate

G (Gas Optimization)

Awards

0.0055 ETH - $19.84

External Links

Link to GitHub issue

Handle

defsec

Vulnerability details

Impact

It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.

Reference: This similar medium-severity finding from Consensys Diligence Audit of Fei Protocol: https://consensys.net/diligence/audits/2021/01/fei-protocol/#unchecked-return-value-for-iweth-transfer-call

Proof of Concept

Navigate to https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L77 contract.
Transfer and TransferFrom function is used instead of safe transfer on the following lines.

https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L77 https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L85

Tools Used

Manual Code Review

Recommended Mitigation Steps

Consider using safeTransfer/safeTransferFrom or require() consistently.

#0 - kitti-katy
2021-10-21T18:30:29Z

duplicate of #1

#1 - GalloDaSballo
2021-11-02T15:27:31Z

Duplicate of #1

Covalent contest - defsec's results

One unified API. One billion possibilities.

General Information

Findings Distribution

Researcher Performance

External Links

Gas Report - $30.55

Gas Report - $30.55

[G-04] Gas Optimization on the Public Functions - $10.71

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - kitti-katy2021-10-21T20:43:47Z

#1 - GalloDaSballo2021-11-01T17:02:19Z

[G-05] Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom - $19.84

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - kitti-katy2021-10-21T18:30:29Z

#1 - GalloDaSballo2021-11-02T15:27:31Z

#0 - kitti-katy
2021-10-21T20:43:47Z

#1 - GalloDaSballo
2021-11-01T17:02:19Z

#0 - kitti-katy
2021-10-21T18:30:29Z

#1 - GalloDaSballo
2021-11-02T15:27:31Z