Rigor Protocol contest - erictee's results

Community lending and instant payments for new home construction.

General Information

Platform: Code4rena

Start Date: 01/08/2022

Pot Size: $50,000 USDC

Total HM: 26

Participants: 133

Period: 5 days

Judge: Jack the Pug

Total Solo HM: 6

Id: 151

League: ETH

Rigor Protocol

Findings Distribution

Researcher Performance

Rank: 82/133

Findings: 2

Award: $62.35

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Rigor Protocol

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xNineDec, 0xSmartContract, 0xSolus, 0xf15ers, 0xkatana, 0xsolstars, 8olidity, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Funen, GalloDaSballo, Guardian, IllIllI, JC, Jujic, MEP, Noah3o6, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, Soosh, Throne6g, TomJ, Tomio, TrungOre, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, arcoun, asutorufos, ayeslick, benbaessler, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, codexploder, cryptonue, cryptphi, defsec, delfin454000, dipp, djxploit, erictee, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hyh, ignacio, indijanc, joestakey, kaden, mics, minhquanym, neumo, obront, oyc_109, p_crypt0, pfapostol, poirots, rbserver, robee, rokinot, rotcivegaf, sach1r0, saian, samruna, saneryee, scaraven, sikorico, simon135, sseefried, supernova

Awards

40.621 USDC - $40.62

Labels

bug

QA (Quality Assurance)

edited-by-warden

valid

External Links

Link to GitHub issue

[L-01] Missing checks for address(0x0) when assigning values to address state variables.

Code in Question

https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Project.sol#L94-L105

[L-02] Missing Initializer modifier

OpenZeppelin recommends that the initializer modifier be applied to constructors in order to avoid potential griefs, social engineering, or exploits. Ensure that the modifier is applied to the implementation contract. If the default constructor is currently being used, it should be changed to be an explicit one with the modifier applied.

Code in Question

https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/ProjectFactory.sol#L16-L20

Findings Information

🌟 Selected for report: c3phas

Also found by: 0x040, 0x1f8b, 0xA5DF, 0xNazgul, 0xSmartContract, 0xSolus, 0xc0ffEE, 0xkatana, 0xsam, 8olidity, Aymen0909, Bnke0x0, CertoraInc, Chinmay, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Fitraldys, Funen, GalloDaSballo, Guardian, IllIllI, JC, Lambda, MEP, Metatron, MiloTruck, Noah3o6, NoamYakov, PaludoX0, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, TomJ, Tomio, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, ballx, benbaessler, bharg4v, bobirichman, brgltd, cryptonue, defsec, delfin454000, dharma09, djxploit, durianSausage, eierina, erictee, fatherOfBlocks, gerdusx, gogo, hake, hyh, ignacio, jag, kaden, kyteg, lucacez, mics, minhquanym, oyc_109, pfapostol, rbserver, ret2basic, robee, rokinot, sach1r0, saian, samruna, scaraven, sikorico, simon135, supernova, teddav, tofunmi, zeesaw

Awards

21.7291 USDC - $21.73

Labels

bug

G (Gas Optimization)

edited-by-warden

valid

External Links

Link to GitHub issue

[G- 01] Explicit initialization with zero and false not required

Impact

Explicit initialization with zero and false are not required for variable declaration because uints are 0 and bool are false by default. Removing this will reduce contract size and save a bit of gas.

Code in Question

contracts/Community.sol:L624        for (uint256 i = 0; i < _communities[_communityID].memberCount; i++) {

contracts/HomeFiProxy.sol:L87        for (uint256 i = 0; i < _length; i++) {

contracts/HomeFiProxy.sol:L136        for (uint256 i = 0; i < _length; i++) {

contracts/Project.sol:L248        for (uint256 i = 0; i < _length; i++) {

contracts/Project.sol:L311        for (uint256 i = 0; i < _length; i++) {

contracts/Project.sol:L322        for (uint256 i = 0; i < _length; i++) {

contracts/libraries/Tasks.sol:L181        for (uint256 i = 0; i < _length; i++) _alerts[i] = _self.alerts[i];

contracts/Project.sol:L412        bool _unapproved = false;

[G- 02] Cache Array Length Outside of Loop

Impact

Cache array length outside of loop to save gas.

Code in Question

contracts/Project.sol:L603  for (; i < _changeOrderedTask.length; i++) {

[G- 03] Use != 0 instead of > 0 for Unsigned Integer Comparison

Impact

When dealing with unsigned integer types, comparisons with != 0 are cheaper then with > 0.

Code in Question

contracts/Community.sol:L261 => if (projectPublished[_project] > 0) {
contracts/Community.sol:L425 => // First claim interest if principal lent > 0
contracts/Community.sol:L427 => _communities[_communityID].projectDetails[_project].lentAmount > 0
contracts/Community.sol:L764 => require(_repayAmount > 0, "Community:L!repay");
contracts/Community.sol:L840 => if (_interestEarned > 0) {
contracts/Disputes.sol:L107 => _actionType > 0 && _actionType <= uint8(ActionType.TaskPay),
contracts/HomeFi.sol:L245 => return projectTokenId[_project] > 0;
contracts/Project.sol:L195 => require(_cost > 0, "Project:L!value>0");
contracts/Project.sol:L380 => if (_leftOutTokens > 0) {
contracts/Project.sol:L601 => if (_changeOrderedTask.length > 0) {
contracts/Project.sol:L691 => if (_loopCount > 0) emit TaskAllocated(_tasksAllocated);
contracts/mock/HomeFiMock.sol:L171 => return projectTokenId[_project] > 0;

[G- 04] Replace ++I/I++ to UNCHECKED{++I}/UNCHECKED{I++} when it is not possible for them to overflow.

Impact

The unchecked keyword is new in solidity version 0.8.0, so this only applies to that version or higher, which these instances are. This saves 30-40 gas per loop

Code in Question

contracts/Community.sol:L624        for (uint256 i = 0; i < _communities[_communityID].memberCount; i++) {
contracts/HomeFiProxy.sol:L87        for (uint256 i = 0; i < _length; i++) {
contracts/HomeFiProxy.sol:L136        for (uint256 i = 0; i < _length; i++) {
contracts/Project.sol:L248        for (uint256 i = 0; i < _length; i++) {
contracts/Project.sol:L311        for (uint256 i = 0; i < _length; i++) {
contracts/Project.sol:L322        for (uint256 i = 0; i < _length; i++) {
contracts/Project.sol:L603            for (; i < _changeOrderedTask.length; i++) {

[G- 05] ++i costs less gas than i++, especially when it's used in for-loops ( same for --i/i--)

Code in Question

contracts/Community.sol:L624        for (uint256 i = 0; i < _communities[_communityID].memberCount; i++) {
contracts/HomeFiProxy.sol:L87        for (uint256 i = 0; i < _length; i++) {
contracts/HomeFiProxy.sol:L136        for (uint256 i = 0; i < _length; i++) {
contracts/Project.sol:L248        for (uint256 i = 0; i < _length; i++) {
contracts/Project.sol:L311        for (uint256 i = 0; i < _length; i++) {
contracts/Project.sol:L322        for (uint256 i = 0; i < _length; i++) {
contracts/Project.sol:L603            for (; i < _changeOrderedTask.length; i++) {

[G- 06] Splitting require() statements that use && saves gas

Impact

Similar issue can be found here. Split the require statements to save gas.

Code in Question

https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Community.sol#L353-L357 https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Disputes.sol#L61-L65 https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Disputes.sol#L106-L109

[G- 07] Use custom errors rather than revert()/require() strings

Impact

Custom errors are available from solidity version 0.8.4. Custom errors save ~50 gas each time they’re hit by avoiding having to allocate and store the revert string. Consider using custom errors rather than revert()/require() strings to save gas.

Code in Question

#0 - zgorizzo69
2022-08-09T09:47:38Z

thanks for your work

Rigor Protocol contest - erictee's results

Community lending and instant payments for new home construction.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-83] QA Report - $40.62

Findings Information

Awards

Labels

External Links

[L-01] Missing checks for address(0x0) when assigning values to address state variables.

Code in Question

[L-02] Missing Initializer modifier

Code in Question

[G-42] Gas Report - $21.73

Findings Information

Awards

Labels

External Links

[G- 01] Explicit initialization with zero and false not required

Impact

Code in Question

[G- 02] Cache Array Length Outside of Loop

Impact

Code in Question

[G- 03] Use != 0 instead of > 0 for Unsigned Integer Comparison

Impact

Code in Question

[G- 04] Replace ++I/I++ to UNCHECKED{++I}/UNCHECKED{I++} when it is not possible for them to overflow.

Impact

Code in Question

[G- 05] ++i costs less gas than i++, especially when it's used in for-loops ( same for --i/i--)

Code in Question

[G- 06] Splitting require() statements that use && saves gas

Impact

Code in Question

[G- 07] Use custom errors rather than revert()/require() strings

Impact

Code in Question

#0 - zgorizzo692022-08-09T09:47:38Z

#0 - zgorizzo69
2022-08-09T09:47:38Z