Back to jonatascm's contests

Nouns Builder contest - jonatascm's results

A permissionless, governed protocol to deploy nouns-style DAOs complete with treasury, generative collections, and governance mechanisms.

General Information

Platform: Code4rena

Start Date: 06/09/2022

Pot Size: $90,000 USDC

Total HM: 33

Participants: 168

Period: 9 days

Judge: GalloDaSballo

Total Solo HM: 10

Id: 157

League: ETH

Nouns Builder

Findings Distribution

Researcher Performance

Rank: 121/168

Findings: 1

Award: $60.77

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNouns Builder

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x1337, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 8olidity, Aymen0909, B2, Bnke0x0, CRYP70, Captainkay, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, ElKu, EthLedger, Franfran, Funen, GimelSec, JansenC, Jeiwan, Jujic, Lead_Belly, MEP, MasterCookie, MiloTruck, Noah3o6, PPrieditis, PaludoX0, Picodes, PwnPatrol, R2, Randyyy, RaymondFam, Respx, ReyAdmirado, Rolezn, Samatak, Tointer, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ak1, asutorufos, azephiar, ballx, bharg4v, bin2chen, bobirichman, brgltd, bulej93, c3phas, cccz, ch0bu, cloudjunky, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, davidbrai, delfin454000, dharma09, dic0de, dipp, djxploit, eierina, erictee, fatherOfBlocks, gogo, hansfriese, hyh, imare, indijanc, izhuer, jonatascm, ladboy233, leosathya, lucacez, lukris02, m9800, martin, minhtrng, ne0n, neumo, oyc_109, p_crypt0, pashov, pauliax, pcarranzav, pedr02b2, peritoflores, pfapostol, rbserver, ret2basic, robee, rvierdiiev, sach1r0, sahar, scaraven, sikorico, simon135, slowmoses, sorrynotsorry, tnevler, tonisives, volky, yixxas, zkhorse, zzzitron

Awards

60.7749 USDC - $60.77

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Floating pragma is risky

Target codebase

All contracts in lib folder

Vulnerability details

The codebase uses floating pragma. All contracts should be compiled with same pragma version. Locking the pragma ensures that contracts do not accidentally get deployed using either an outdated buggy compiler version or a compiler version different from what the code has been tested with.

Recommended Mitigation Steps

Use the same compiler version for all contracts by setting a specific version e.g. 0.8.17  for these contracts. Version 0.8.17 fixed important bugs.

Missing gap storage variable

Target codebase

All storage contracts

Vulnerability details

Upgradeable contract is missing a __gap[50] storage variable to allow for new storage variables in later versions

Recommended Mitigation Steps

Add __gap variable at end of each storage contract:

+ uint256[50] __gap;

Missing bounds validation in set functions

Target codebase

https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L310

https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L318

https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L326

https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L335

Vulnerability details

In each set function in Auction contract is missing upper/lower bound validation, in setMinimumBidIncrement function the owner could set it to maximum of 255% instead of 100%.

Recommended Mitigation Steps

Add upper/lower bound check to prevent.

#0 - GalloDaSballo

2022-09-27T00:22:32Z

1L(validation) 2NC

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter