XDEFI contest - hack3r-0m's results

The fastest wallet in DeFi.

General Information

Platform: Code4rena

Start Date: 04/01/2022

Pot Size: $25,000 USDC

Total HM: 3

Participants: 40

Period: 3 days

Judge: Ivo Georgiev

Total Solo HM: 1

Id: 75

League: ETH

XDEFI

Findings Distribution

Researcher Performance

Rank: 24/40

Findings: 1

Award: $67.64

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository XDEFI

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Auditors

Browse

Contests

Browse

Get in touch

Contact Twitter

Findings Information

🌟 Selected for report: leastwood

Also found by: StErMi, WatchPug, cmichel, danb, egjlmn1, gpersoon, hack3r-0m, harleythedog, kenzo

Labels

bug

duplicate

1 (Low Risk)

sponsor confirmed

Awards

30.2712 USDC - $30.27

External Links

Link to GitHub issue

Handle

hack3r-0m

Vulnerability details

https://github.com/XDeFi-tech/xdefi-distribution/blob/master/contracts/XDEFIDistribution.sol#L142

there is no incentive for end-users to call updateDistribution() function and hence the value of _pointsPerUnit being stale can result in improper calculations of distribution.

Tools Used

Manual Review

Recommended Mitigation Steps

call it internally before every lock
take precautions to check values are not stale i.e it was updated at least once in "x" blocks

#0 - deluca-mike
2022-01-08T00:03:10Z

Agreed. We will call updateDistribution() before all locks, unlocks, and relocks.

#1 - deluca-mike
2022-01-09T11:06:46Z

Duplicate #30

Findings Information

🌟 Selected for report: cccz

Also found by: Jujic, Tomio, WatchPug, agusduha, certora, hack3r-0m, jayjonah8, ye0lde

Labels

bug

duplicate

1 (Low Risk)

sponsor acknowledged

Awards

37.3718 USDC - $37.37

External Links

Link to GitHub issue

Handle

hack3r-0m

Vulnerability details

https://github.com/XDeFi-tech/xdefi-distribution/blob/master/contracts/XDEFIDistribution.sol#L80

check the length of durations_ and multipliers is equal and revert if it is not resulting in gas savings rather than delayed revert.

#0 - deluca-mike
2022-01-08T03:17:06Z

We try to reduce gas costs for happy path, not for sad path. Assuming lengths are equal (which they will be in the overwhelming majority of the time), it is cheaper not to check them. Further, most wallets (and certainly the one we use) will alert the user if a transaction is going to fail, so it will never waste gas anyway.

#1 - deluca-mike
2022-01-09T11:00:41Z

Duplicate #38

XDEFI contest - hack3r-0m's results

The fastest wallet in DeFi.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $67.64

QA Report - $67.64

[L-01] stale `_pointsPerUnit` if `updateDistribution` frequently - $30.27

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Tools Used

Recommended Mitigation Steps

#0 - deluca-mike2022-01-08T00:03:10Z

#1 - deluca-mike2022-01-09T11:06:46Z

[L-02] confirm if lengths are equal before looping - $37.37

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

#0 - deluca-mike2022-01-08T03:17:06Z

#1 - deluca-mike2022-01-09T11:00:41Z

#0 - deluca-mike
2022-01-08T00:03:10Z

#1 - deluca-mike
2022-01-09T11:06:46Z

#0 - deluca-mike
2022-01-08T03:17:06Z

#1 - deluca-mike
2022-01-09T11:00:41Z