Back to karanctf's contests

Juicebox contest - karanctf's results

The decentralized fundraising and treasury protocol.

General Information

Platform: Code4rena

Start Date: 18/10/2022

Pot Size: $50,000 USDC

Total HM: 13

Participants: 67

Period: 5 days

Judge: Picodes

Total Solo HM: 7

Id: 172

League: ETH

Juicebox

Findings Distribution

Researcher Performance

Rank: 39/67

Findings: 1

Award: $37.88

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJuicebox

Findings Information

🌟 Selected for report: berndartmueller

Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, Aymen0909, BClabs, Diana, Jeiwan, Lambda, LeoS, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, SaharAP, Trust, V_B, __141345__, a12jmx, bharg4v, brgltd, carlitox477, ch0bu, chaduke, cloudjunky, cryptostellar5, cryptphi, csanuragjain, d3e4, delfin454000, erictee, fatherOfBlocks, hansfriese, ignacio, joestakey, karanctf, ladboy233, lukris02, mcwildy, minhtrng, peanuts, ret2basic, seyni, slowmoses, svskaushik, tnevler, yixxas

Awards

37.8829 USDC - $37.88

Labels

bug
QA (Quality Assurance)
grade-b
Q-15

External Links

Link to GitHub issue

#Low impact

[L-01] Use of Block.timestamp

Block timestamps have historically been used for a variety of applications, such as entropy for random numbers (see the Entropy Illusion for further details), locking funds for periods of time, and various state-changing conditional statements that are time-dependent. Miners have the ability to adjust timestamps slightly, which can prove to be dangerous if block timestamps are used incorrectly in smart contracts.

JBTiered721DelegateStore.sol:903:      if (_storedTierOf[msg.sender][_tierId].lockedUntil >= block.timestamp) revert TIER_LOCKED();

[L-02] abi.encodePacked() should not be used with dynamic types when passing the result to a hash function such as keccak256()

JBIpfsDecoder.sol-24-    pure
JBIpfsDecoder.sol-25-    returns (string memory)
JBIpfsDecoder.sol-26-  {
JBIpfsDecoder.sol-27-    // Concatenate the hex string with the fixed IPFS hash part (0x12 and 0x20)
JBIpfsDecoder.sol:28:    bytes memory completeHexString = abi.encodePacked(bytes2(0x1220), _hexString);
JBIpfsDecoder.sol-29-
JBIpfsDecoder.sol-30-    // Convert the hex string to an hash
JBIpfsDecoder.sol-31-    string memory ipfsHash = _toBase58(completeHexString);
JBIpfsDecoder.sol-32-
JBIpfsDecoder.sol-33-    // Concatenate with the base URI
JBIpfsDecoder.sol:34:    return string(abi.encodePacked(_baseUri, ipfsHash));
JBIpfsDecoder.sol-35-  }
JBIpfsDecoder.sol-36-
JBIpfsDecoder.sol-37-  /**
JBIpfsDecoder.sol-38-    @notice

Non critical

[N-1] require()/revert() statements should have descriptive reason strings

JBTiered721Delegate.sol:216:    require(address(this) != codeOrigin);
JBTiered721Delegate.sol:218:    require(address(store) == address(0));

[N-2] Try making public function internal if there is no external use such functions often include division multiply round etc

JBTiered721Delegate.sol:123:  function balanceOf(address _owner) public view override returns (uint256 balance) {
JBTiered721Delegate.sol:138:  function tokenURI(uint256 _tokenId) public view override returns (string memory) {
JBTiered721Delegate.sol:175:  function supportsInterface(bytes4 _interfaceId) public view override returns (bool) {
JBTiered721DelegateStore.sol:550:  function totalRedemptionWeight(address _nft) public view override returns (uint256 weight) {
JBTiered721DelegateStore.sol:585:  function tierIdOfToken(uint256 _tokenId) public pure override returns (uint256) {

ch

#0 - c4-judge

2022-11-08T17:38:51Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter