Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $30,000 USDC
Total HM: 6
Participants: 93
Period: 3 days
Judge: gzeon
Id: 118
League: ETH
Rank: 23/93
Findings: 3
Award: $342.49
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: throttle
Also found by: 0xDjango, BowTiedWardens, WatchPug, defsec, dipp, fatherOfBlocks, gzeon, hake, reassor, shung, unforgiven
https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L480-L500 https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L441-L471
Time variable validations (daStartTime, mintlistStartTime, publicStartTime, claimsStartTime, selfRefundsStartTime) are only done in setPhaseTimes() and not even all validations. These validations should be performed:
I came to this conclusion taking into account the timeline written on line 117.
If you decide not to add validations as require in each setter function, at least set all validations in setPhaseTimes().
#0 - gzeoneth
2022-06-18T18:06:42Z
Duplicate of #27
🌟 Selected for report: defsec
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0x52, 0xDjango, 0xf15ers, 0xkatana, 0xliumin, AuditsAreUS, BowTiedWardens, CertoraInc, Cr4ckM3, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, Picodes, Ruhum, TerrierLover, TrungOre, VAD37, WatchPug, berndartmueller, broccolirob, catchup, cccz, cryptphi, csanuragjain, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, hubble, hyh, ilan, joestakey, kebabsec, kenta, kenzo, leastwood, m9800, marximimus, minhquanym, oyc_109, p4st13r4, pauliax, pedroais, peritoflores, plotchy, rajatbeladiya, reassor, rfa, robee, rotcivegaf, samruna, shenwilly, shung, simon135, sorrynotsorry, sseefried, teddav, throttle, tintin, unforgiven, z3s
30.2807 USDC - $30.28
ForgottenRunesWarriorsMinter.sol
L557 - the setLowestPrice() function should not allow setting lowestPrice > starPrice, it could generate inconsistencies in currentDaPrice().
L550 - the setStartPrice() function should not allow setting startPrice < lowestPrice, it could generate inconsistencies in currentDaPrice().
L564 L571 - if daDropInterval or daPriceCurveLength were set to zero by mistake, it would generate a temporary DoS in currentDaPrice() and consequently in bidSummon().
L441 L471 - In the setDaStartTime() or setSelfRefundsStartTime() functions, it is good to let you pass any date, it could generate a denial of services in the purchase functions.
🌟 Selected for report: BowTiedWardens
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xProf, 0xc0ffEE, 0xf15ers, 0xkatana, 0xliumin, ACai, AlleyCat, CertoraInc, Cityscape, Cr4ckM3, DavidGialdi, Dinddle, FSchmoede, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, MiloTruck, Picodes, RoiEvenHaim, Tadashi, TerrierLover, TrungOre, VAD37, WatchPug, antonttc, catchup, defsec, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, ilan, joestakey, kebabsec, kenta, kenzo, marximimus, minhquanym, noobie, oyc_109, p4st13r4, pauliax, rajatbeladiya, reassor, rfa, robee, rotcivegaf, saian, samruna, shenwilly, shung, simon135, slywaters, sorrynotsorry, throttle, unforgiven, z3s
15.4498 USDC - $15.45
ForgottenRunesWarriorsMinter.sol
L163 L220 L259 L355 - Less gas could be spent if these lines were made unckecked and instead of i++, ++i was made.
L287 L288 L289 L295 L391 -These lines can become unckecked since it is not necessary to validate these operations.
L390 - It is only used once in the function, so you would save 3 gas if you call line 391 directly.