Platform: Code4rena
Start Date: 01/08/2022
Pot Size: $50,000 USDC
Total HM: 26
Participants: 133
Period: 5 days
Judge: Jack the Pug
Total Solo HM: 6
Id: 151
League: ETH
Rank: 41/133
Findings: 3
Award: $157.21
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L219 https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L386 https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L509
Methods requiring signed data which do not require that the signature has not already been used, e.g. Project.addTasks, Project.changeOrder, and Community.escrow; are vulnerable to signature replay attacks. For example, a malicious actor may take a past transaction on one of these methods and re-execute it by passing the same _data and _signature, causing unexpected effects.
It's recommended to require a nonce be passed with all signed data and that a check is performed to ensure that every individual data packet can only be executed once.
#0 - parv3213
2022-08-17T06:41:08Z
Subset of #162 #161
🌟 Selected for report: Lambda
Also found by: 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xNineDec, 0xSmartContract, 0xSolus, 0xf15ers, 0xkatana, 0xsolstars, 8olidity, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Funen, GalloDaSballo, Guardian, IllIllI, JC, Jujic, MEP, Noah3o6, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, Soosh, Throne6g, TomJ, Tomio, TrungOre, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, arcoun, asutorufos, ayeslick, benbaessler, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, codexploder, cryptonue, cryptphi, defsec, delfin454000, dipp, djxploit, erictee, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hyh, ignacio, indijanc, joestakey, kaden, mics, minhquanym, neumo, obront, oyc_109, p_crypt0, pfapostol, poirots, rbserver, robee, rokinot, rotcivegaf, sach1r0, saian, samruna, saneryee, scaraven, sikorico, simon135, sseefried, supernova
40.621 USDC - $40.62
The accounting logic used throughout the protocol assumes that the balance of tokens will not change during the lifecycle. As such, it is important that tokens used in the protocol do not contain any rebasing, fee-on-transfer, or similar balance changing logic. Failure to use static balance tokens will result in unexpected effects including locked funds and failed transactions.
It's recommended to take care in ensuring that tokens used in the protocol do not contain rebasing, fee-on-transfer, or similar balance changing logic.
🌟 Selected for report: c3phas
Also found by: 0x040, 0x1f8b, 0xA5DF, 0xNazgul, 0xSmartContract, 0xSolus, 0xc0ffEE, 0xkatana, 0xsam, 8olidity, Aymen0909, Bnke0x0, CertoraInc, Chinmay, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Fitraldys, Funen, GalloDaSballo, Guardian, IllIllI, JC, Lambda, MEP, Metatron, MiloTruck, Noah3o6, NoamYakov, PaludoX0, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, TomJ, Tomio, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, ballx, benbaessler, bharg4v, bobirichman, brgltd, cryptonue, defsec, delfin454000, dharma09, djxploit, durianSausage, eierina, erictee, fatherOfBlocks, gerdusx, gogo, hake, hyh, ignacio, jag, kaden, kyteg, lucacez, mics, minhquanym, oyc_109, pfapostol, rbserver, ret2basic, robee, rokinot, sach1r0, saian, samruna, scaraven, sikorico, simon135, supernova, teddav, tofunmi, zeesaw
21.7223 USDC - $21.72
In Project.raiseDispute, all values are decoded from _data, but only the first two values are used. The additional logic required to decode the last three values costs significant gas without any benefit.
Don't decode the final three values as they're not being used to reduce gas usage from 217449 to 216464.
uint256 over smaller uint types when possibleIn Disputes.raiseDispute, _actionType is decoded from _data and casted to a uint8 type. This is unnecessary and inefficient as the necessary logic can be performed with a uint256, and when compiled, _actionType gets casted back to uint256 costing additional gas in the process.
Decode _actionType as a uint256 in Disputes.raiseDispute to reduce gas usage from 217449 to 217412.
Throughout Community.sol and Project.sol, there are storage variables which are reused within the same method. This should be generally avoided as it is much more efficient to save a variable locally and retrieve from the stack or memory instead of storage.
Community.lendToProject, save _communities[_communityId] to a local variable to reduce gas usage from 190993 to 190425.Project.lendToProject, save builder to a local variable to reduce gas usage from 108069 to 107986Project.setComplete, save tasks[_taskId] to a local variable to reduce gas usage from 93713 to 93635Project.changeOrder, save tasks[_taskId] to a local variable to reduce gas usage from 75640 to 75459Throughout the contracts, suboptimal comparison operators are used.
Optimal comparison operators should be used as follows:
value != 0 instead of value > 0 to save 44 gasvalue > otherValue - 1 instead of value >= otherValue to save 38 gas