Behodler contest - defsec's results

Ethereum liquidity protocol powered by token bonding curves.

General Information

Platform: Code4rena

Start Date: 27/01/2022

Pot Size: $90,000 USDC

Total HM: 21

Participants: 33

Period: 7 days

Judge: Jack the Pug

Total Solo HM: 14

Id: 78

League: ETH

Behodler

Findings Distribution

Researcher Performance

Rank: 21/33

Findings: 1

Award: $206.31

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Behodler

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Auditors

Browse

Contests

Browse

Get in touch

Contact Twitter

Findings Information

🌟 Selected for report: Dravee

Also found by: CertoraInc, defsec, pauliax, sirhashalot

Labels

bug

duplicate

G (Gas Optimization)

Awards

22.9602 USDC - $22.96

External Links

Link to GitHub issue

Handle

defsec

Vulnerability details

Impact

For the arithmetic operations that will never over/underflow, using the unchecked directive (Solidity v0.8 has default overflow/underflow checks) can save some gas from the unnecessary internal over/underflow checks.

Proof of Concept

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L424

Tools Used

None

Recommended Mitigation Steps

Consider applying unchecked arithmetic where overflow/underflow is not possible.

#0 - gititGoro
2022-02-10T04:41:56Z

duplicate of issue 116

#1 - jack-the-pug
2022-02-22T15:48:51Z

Dup #265

Findings Information

🌟 Selected for report: robee

Also found by: 0x1f8b, CertoraInc, Dravee, IllIllI, defsec, p4st13r4, rfa, throttle

Labels

bug

duplicate

G (Gas Optimization)

Awards

8.369 USDC - $8.37

External Links

Link to GitHub issue

Handle

defsec

Vulnerability details

Impact

++i is more gas efficient than i++ in loops forwarding.

Proof of Concept

Navigate to the following contracts.

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L212

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L217

Tools Used

Code Review

Recommended Mitigation Steps

It is recommend to use unchecked{++i} and change i declaration to uint256.

#0 - gititGoro
2022-02-10T00:03:00Z

duplicate of issue 10

#1 - jack-the-pug
2022-02-22T14:47:50Z

Dup #10

Findings Information

🌟 Selected for report: defsec

Labels

bug

G (Gas Optimization)

sponsor acknowledged

Awards

174.9751 USDC - $174.98

External Links

Link to GitHub issue

Handle

defsec

Vulnerability details

Impact

The use of _msgSender() when there is no implementation of a meta transaction mechanism that uses it, such as EIP-2771, very slightly increases gas consumption.

Proof of Concept

_msgSender() is utilized three times where msg.sender could have been used in the following function.

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L251

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L288

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L291

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L330

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L387

https://github.com/code-423n4/2022-01-behodler/blob/main/contracts/DAO/LimboDAO.sol#L151

Tools Used

None

Recommended Mitigation Steps

Replace _msgSender() with msg.sender if there is no mechanism to support meta-transactions like EIP-2771 implemented.

#0 - gititGoro
2022-02-05T02:12:57Z

I haven't made a final decision on the _msgSender() usage.

Behodler contest - defsec's results

Ethereum liquidity protocol powered by token bonding curves.

General Information

Findings Distribution

Researcher Performance

External Links

Gas Report - $206.31

Gas Report - $206.31

[G-13] Adding unchecked directive can save gas - $22.96

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - gititGoro2022-02-10T04:41:56Z

#1 - jack-the-pug2022-02-22T15:48:51Z

[G-12] ++i is more gas efficient than i++ in loops forwarding - $8.37

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - gititGoro2022-02-10T00:03:00Z

#1 - jack-the-pug2022-02-22T14:47:50Z

🚀 [G-08] Use of _msgSender() - $174.98

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - gititGoro2022-02-05T02:12:57Z

#0 - gititGoro
2022-02-10T04:41:56Z

#1 - jack-the-pug
2022-02-22T15:48:51Z

#0 - gititGoro
2022-02-10T00:03:00Z

#1 - jack-the-pug
2022-02-22T14:47:50Z

#0 - gititGoro
2022-02-05T02:12:57Z