Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 198
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 164
League: ETH
Rank: 75/198
Findings: 2
Award: $29.04
π Selected for report: 0
π Solo Findings: 0
π Selected for report: AkshaySrivastav
Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xA5DF, 0xDecorativePineapple, 0xNazgul, 0xSky, 0xSmartContract, 0xbepresent, 0xf15ers, 0xmatt, 2997ms, Aeros, Aymen0909, B2, Bahurum, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, Diraco, Dravee, ElKu, Funen, IllIllI, JC, JLevick, JohnSmith, JohnnyTime, KIntern_NA, Lambda, Margaret, MasterCookie, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, SooYa, StevenL, TomJ, Tomo, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, async, ayeslick, aysha, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, cccz, ch13fd357r0y3r, chatch, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dic0de, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, gogo, got_targ, hansfriese, ignacio, ikbkln, indijanc, innertia, joestakey, karanctf, ladboy233, leosathya, lukris02, martin, medikko, millersplanet, nalus, natzuu, neko_nyaa, neumo, obront, oyc_109, pcarranzav, peanuts, pedr02b2, pedroais, peiw, peritoflores, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, rokinot, romand, rotcivegaf, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, sorrynotsorry, supernova, tibthecat, tnevler, ubermensch, yongskiws, zzykxx, zzzitron
19.9529 USDC - $19.95
@param maxSupply_ - What's the maximum supply. The contract won't allow minting over this amount. Set to 0 for no limit.
the variable maxSupply is used as the supply amount that can be minted, not used to restrict the total supply,
we recommand the project change the name from maxSupply to mintable supply.
the test use TestERC20Token.sol to conduct the test,
but integration test and unit test for FullPermintERC20Token.sol and in VariableSupplyERC20Token.sol is needed.
for example, in the code,
the initial supply is 1000
because in the TestERC20Token.sol, the supply is multiple by decimals.
uint256 supplyToMint = initialSupply_ * (10 ** decimals());
but in FullPermintERC20Token.sol and in VariableSupplyERC20Token.sol
there is no such multiplication.
So please make sure we multiple by decimals before passing into the constructor of FullPermintERC20Token.sol and in VariableSupplyERC20Token.sol
Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
https://swcregistry.io/docs/SWC-103
in VariableSupplyERC20Token.sol
pragma solidity ^0.8.14;
modifier hasActiveClaim(address _recipient) { Claim storage _claim = claims[_recipient];
modifier hasNoClaim(address _recipient) { Claim storage _claim = claims[_recipient];
function vestedAmount(address _recipient, uint40 _referenceTs) public view returns (uint112) { Claim storage _claim = claims[_recipient]; return _baseVestedAmount(_claim, _referenceTs); }
function claimableAmount(address _recipient) external view returns (uint112) { Claim storage _claim = claims[_recipient]; return _baseVestedAmount(_claim, uint40(block.timestamp)) - _claim.amountWithdrawn; }
function claimableAmount(address _recipient) external view returns (uint112) { Claim storage _claim = claims[_recipient]; return _baseVestedAmount(_claim, uint40(block.timestamp)) - _claim.amountWithdrawn; }
the current project openzeppelin version is
"@openzeppelin/contracts": "^4.5.0",
which subject to the vulnerability below
https://security.snyk.io/package/npm/@openzeppelin%2Fcontracts
we recommand the project use the latest openzepplein version
contract VTVLVesting is Context, AccessProtected {
but AccessProtected already inherit Context.
We recommand write
contract VTVLVesting is AccessProtected {
π Selected for report: IllIllI
Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xDanielC, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 0xsam, 2997ms, AkshaySrivastav, Amithuddar, Atarpara, Aymen0909, B2, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, Diraco, Funen, JC, JLevick, JohnSmith, Junnon, KIntern_NA, Lambda, MasterCookie, Matin, Noah3o6, Ocean_Sky, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, Saintcode_, Satyam_Sharma, Sm4rty, SnowMan, SooYa, Sta1400, StevenL, Tadashi, Tagir2003, TomJ, Tomio, Tomo, V_B, Waze, WilliamAmbrozic, Yiko, __141345__, a12jmx, adriro, ajtra, ak1, async, aysha, beardofginger, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, caventa, ch0bu, cryptostellar5, cryptphi, csanuragjain, d3e4, delfin454000, dharma09, djxploit, durianSausage, eighty, emrekocak, erictee, exd0tpy, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, got_targ, hxzy, ignacio, ikbkln, imare, indijanc, jag, jpserrat, karanctf, ladboy233, leosathya, lucacez, lukris02, m9800, malinariy, martin, medikko, mics, millersplanet, mrpathfindr, nalus, natzuu, neko_nyaa, oyc_109, pauliax, peanuts, pedroais, peiw, pfapostol, prasantgupta52, rbserver, ret2basic, rokinot, rotcivegaf, rvierdiiev, sach1r0, samruna, seyni, slowmoses, subtle77, supernova, tgolding55, tibthecat, tnevler, w0Lfrum, yaemsobak, zishansami
9.086 USDC - $9.09
function setAdmin(address admin, bool isEnabled) public onlyAdmin {
function withdrawAdmin(uint112 _amountRequested) public onlyAdmin {
https://github.com/code-423n4/2022-01-xdefi-findings/issues/128
See this issue which describes the fact that there is a larger deployment gas cost, but with enough runtime calls, the change ends up being cheaper
require(_startTimestamps.length == length &&
Saves 6 gas per loop
for (uint256 i = 0; i < length; i++) {
for (uint256 i = 0; i < length; i++) {
uint112 public numTokensReservedForVesting = 0;