Platform: Code4rena
Start Date: 04/05/2022
Pot Size: $50,000 DAI
Total HM: 24
Participants: 71
Period: 5 days
Judge: Justin Goro
Total Solo HM: 14
Id: 119
League: ETH
Rank: 49/71
Findings: 2
Award: $113.74
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: horsefacts
Also found by: 0x1f8b, 0xYamiDancho, 0xf15ers, 0xkatana, ACai, AlleyCat, Bruhhh, Dravee, Funen, GimelSec, Hawkeye, IllIllI, MaratCerby, PPrieditis, Picodes, Ruhum, TerrierLover, VAD37, berndartmueller, csanuragjain, defsec, delfin454000, eccentricexit, ellahi, fatherOfBlocks, gzeon, hansfriese, hickuphh3, hyh, ilan, joestakey, juicy, kebabsec, oyc_109, rajatbeladiya, reassor, rfa, robee, samruna, simon135, sorrynotsorry, throttle
74.583 DAI - $74.58
Typos
/// @dev All permissions around minting should be done thru MerkleIdentity and it's associate gates
Change associate to associated
// owner is a special name in the OpenZeppelin standard that opensea annoyingly expects for their management page
Change opensea to OpenSea
// 3/ token re-enters this function (or other, but this is the only one that transfers tokens out)
Change other to another
Seven instances of the same typo (use of effect when affect is intended) occur in the lines below:
// but it does not effect the other trees
// but it does not effect the other trees
// but this does not allow re-entrance due to struct updates and it does not effect other trees.
// 1/ token doesn't transfer given amount to recipient, this is bad for user, but does not effect other trees
// 2/ token fails for some reason, again bad for user, but this does not effect other trees
/// @dev Anyone can add a gate, but it doesn't effect anything if it's not connected to a tree in MerkleIdentity
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/PermissionlessBasicPoolFactory.sol#L82 /// @dev Any malicious token contracts included here will make the pool malicious, but not effect other pools
In each case, change `effect` to `affect`
#0 - illuzen
2022-05-12T08:59:54Z
mostly duplicates, except for OpenSea
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0xNazgul, 0xYamiDancho, 0xf15ers, 0xkatana, ACai, CertoraInc, Dravee, Funen, GimelSec, Hawkeye, PPrieditis, Picodes, Ruhum, TerrierLover, Tomio, VAD37, Waze, csanuragjain, defsec, delfin454000, eccentricexit, ellahi, fatherOfBlocks, gzeon, hansfriese, horsefacts, ilan, joestakey, juicy, minhquanym, oyc_109, rajatbeladiya, reassor, rfa, robee, samruna, simon135, z3s
39.1603 DAI - $39.16
Issue: Require message is to long
Explanation: The messages below can be shortened to 32 characters or fewer (as shown) to save gas
require(treeIndex <= numTrees, "Provided merkle index doesn't exist");
Change message to Provided merkle idx nonexistant
require(!withdrawn[destination][treeIndex], "You have already withdrawn your entitled token.");
Change message to Token you entitled to already wd
require(block.timestamp > tranche.lockPeriodEndTime, 'Must wait until after lock period');
Change message to Must wait until aft lock period
require(minEndTime < maxEndTime, 'minEndTime must be less than maxEndTime');
Change message to minEndTime must be < maxEndTime
require(verifyMetadata(tree.metadataMerkleRoot, tokenId, uri, metadataProof), "The metadata proof could not be verified");
Change message to Metadata proof couldn't be ver
require (msg.sender == _owner_, 'Identity: Only owner may call this');
Change message to Identity: Only owner may call
require(msg.sender == destination, 'Can only initialize your own tranche');
Change message to Can only initialize own tranche
require(isApproved(msg.sender, tokenId), 'Identity: Not authorized to approve');
Change message to Identity: Not authorized to app
require(holder != approved, 'Identity: Approving self not allowed');
Change message to Identity: Approving self not ok
require(owners[tokenId] == from, "Identity: Transfer of token that is not own");
Change message to Identity: Tfr of token not own
require(to != address(0), "Identity: transfer to the zero address");
Change message to Identity: tfr to the 0 address
require(checkOnERC721Received(from, to, tokenId, data), "Identity: transfer to non ERC721Receiver implementer");
Not sure how to shorten this message
The same require message occurs in both lines referenced below:
require(initialized[destination][treeIndex], "You must initialize your account first.");
Change message to Must initialize your acct first
Issue: Variables should not be initialized to their default values
Explanation: Initializing uint variables to their default value of 0 is unnecessary and costs gas
uint currentWithdrawal = 0;
Recommended:
uint currentWithdrawal;
uint public numIdentities = 0;
Recommended:
uint public numIdentities;
uint currentWithdrawal is initialized to zero twice, as follows:
uint currentWithdrawal = 0;
Recommended:
uint currentWithdrawal;
uint public numTrees is initialized to zero three times, as follows:
uint public numTrees = 0;
Recommended:
uint public numTrees;
#0 - illuzen
2022-05-12T08:59:23Z
all duplicates