Platform: Code4rena
Start Date: 04/11/2021
Pot Size: $50,000 USDC
Total HM: 20
Participants: 28
Period: 7 days
Judge: 0xean
Total Solo HM: 11
Id: 51
League: ETH
Rank: 12/28
Findings: 4
Award: $755.76
๐ Selected for report: 4
๐ Solo Findings: 0
defsec
It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelinโs safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.
Reference: This similar medium-severity finding from Consensys Diligence Audit of Fei Protocol: https://consensys.net/diligence/audits/2021/01/fei-protocol/#unchecked-return-value-for-iweth-transfer-call
https://github.com/code-423n4/2021-11-bootfinance/blob/7c457b2b5ba6b2c887dafdf7428fd577e405d652/vesting/contracts/AirdropDistribution.sol#L567 https://github.com/code-423n4/2021-11-bootfinance/blob/7c457b2b5ba6b2c887dafdf7428fd577e405d652/vesting/contracts/Vesting.sol#L95
Code Review
Consider using safeTransfer/safeTransferFrom or require() consistently.
#0 - chickenpie347
2022-01-03T20:20:42Z
Duplicate of #31
85.8459 USDC - $85.85
defsec
The current ownership transfer process involves the current owner calling Swap.transferOwnership(). This function checks the new owner is not the zero address and proceeds to write the new owner's address into the owner's state variable. If the nominated EOA account is not a valid account, it is entirely possible the owner may accidentally transfer ownership to an uncontrolled account, breaking all functions with the onlyOwner() modifier.
None
Implement zero address check and Consider implementing a two step process where the owner nominates an account and the nominated account needs to call an acceptOwnership() function for the transfer of ownership to fully succeed. This ensures the nominated EOA account is a valid and active account.
#0 - 0xean
2022-01-08T02:51:08Z
upgrading to med severity as this could impact availability of protocol
2 โ Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
defsec
The burnEtherForMember() functions dont follow check effect interaction pattern. This can cause re-entrancy vulnerability on the function.
"https://github.com/code-423n4/2021-11-bootfinance/blob/main/tge/contracts/PublicSale.sol#L164"
Manual Code Review
Consider using Openzeppelin's nonReentrant modifier on the related function. More info about the relevant contract implementation can be found here. (https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/security/ReentrancyGuard.sol)
#0 - chickenpie347
2022-01-04T02:15:32Z
Duplicate of #148
๐ Selected for report: defsec
290.7617 USDC - $290.76
defsec
During the code review, It has been seen maxVesting amount is disabled. However, there is no maximum and minimum vesting amount defined. Users can vest small amount. For the protocol liquditiy calculation maximum and minimum threshold should be defined.
""" https://github.com/code-423n4/2021-11-bootfinance/blob/main/vesting/contracts/Vesting.sol#L76 """
Review
It is suggested to check maximum/minimum vesting amount on the contract.
defsec
The addInvestor function which is used on the InvestorDistribution contract does not check duplicate investors. With the malicious admin behaviour, investor can be overwritten.
None
Consider to check if the investor exists before.
#0 - chickenpie347
2022-01-03T20:55:11Z
Duplicate of #11
4.4176 USDC - $4.42
defsec
A comparatively cheap way of storing and reading information is by directly including them into the bytecode of the smart contract, when deploying it on the blockchain. The downside here is that the value cannot be altered afterwards. However, gas consumption for both loading and storing data will be considerably reduced. The array can be marked as constant or immutable that will provide gas optimization. The array is not edited on the contract.
None
Consider to mark array as a constant or immutable for the gas optimization.
#0 - 0xean
2022-01-08T22:49:26Z
duplicate of #88
8.1808 USDC - $8.18
defsec
Using the unchecked keyword to avoid redundant arithmetic underflow/overflow checks to save gas when an underflow/overflow cannot happen. E.g. 'unchecked' can be applied in the following lines of code since there are require statements before to ensure the arithmetic operations would not cause an integer underflow or overflow.
Code Review
Consider applying 'unchecked' keyword where overflows/underflows are not possible.
๐ Selected for report: defsec
44.8876 USDC - $44.89
defsec
Using newer compiler versions and the optimizer gives gas optimizations and additional safety checks are available for free.
The advantages of versions 0.8.* over <0.8.0 are:
(https://github.com/code-423n4/2021-11-bootfinance/blob/main/customswap/contracts/Swap.sol ) (https://github.com/code-423n4/2021-11-bootfinance/blob/main/customswap/contracts/SwapUtils.sol#L3) (https://github.com/code-423n4/2021-11-bootfinance/blob/main/customswap/contracts/MathUtils.sol#L3) (https://github.com/code-423n4/2021-11-bootfinance/blob/main/tge/contracts/PublicSale.sol#L2) (https://github.com/code-423n4/2021-11-bootfinance/blob/main/tge/contracts/PublicSaleBatchWithdraw.sol#L2)
None
Consider to upgrade pragma to at least 0.8.4.
defsec
##ย Impact
This does not directly impact the smart contract in anyway besides cost. This is a gas optimization to reduce cost of smart contract. Calling each function, we can see that the public function uses 496 gas, while the external function uses only 261.
According to Slither Analyzer documentation (https://github.com/crytic/slither/wiki/Detector-Documentation#public-function-that-could-be-declared-external), there are functions in the contract that are never called. These functions should be declared as external in order to save gas.
Slither Detector:
external-function:
Slither
#0 - chickenpie347
2022-01-04T02:16:22Z
Duplicate of #121
defsec
From the pragma version 0.8.0, Overflow/underflow protections are enabled by default. The SafeMath library can be deleted from the code base. For achieving gas optimization, unnecessary code should be deleted from the repository.
(https://github.com/code-423n4/2021-11-bootfinance/blob/main/tge/contracts/PublicSale.sol#L22) (https://github.com/code-423n4/2021-11-bootfinance/blob/main/vesting/contracts/Vesting.sol#L20) (https://github.com/code-423n4/2021-11-bootfinance/blob/main/vesting/contracts/InvestorDistribution.sol#L19) (https://github.com/code-423n4/2021-11-bootfinance/blob/main/vesting/contracts/AirdropDistribution.sol#L20)
Code Review
Consider to delete redundant safe math library for the gas optimization. After pragma 0.8.0, overflow/underflow protections are enabled by default.
#0 - chickenpie347
2022-01-03T20:18:00Z
Duplicate of #7