Platform: Code4rena
Start Date: 22/09/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 175
Period: 14 days
Judge: alcueca
Total Solo HM: 4
Id: 287
League: ETH
Rank: 135/175
Findings: 1
Award: $11.47
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0xAadi, 0xDING99YA, 0xDemon, 0xRstStn, 0xSmartContract, 0xStriker, 0xWaitress, 0xbrett8571, 0xfuje, 0xsagetony, 0xsurena, 33BYTEZZZ, 3docSec, 7ashraf, ABA, ABAIKUNANBAEV, Aamir, Audinarey, Bauchibred, Black_Box_DD, Daniel526, DanielArmstrong, DanielTan_MetaTrust, Dinesh11G, Eurovickk, Franklin, Inspecktor, John, Jorgect, Joshuajee, K42, Kek, Koolex, LokiThe5th, MIQUINHO, Myd, NoTechBG, QiuhaoLi, SanketKogekar, Sathish9098, Sentry, Soul22, SovaSlava, Stormreckson, Tendency, Topmark, Udsen, V1235816, Viktor_Cortess, Viraz, Yanchuan, ZdravkoHr, Zims, albahaca, albertwh1te, alexweb3, alexxander, ast3ros, audityourcontracts, bareli, bin2chen, bronze_pickaxe, c0pp3rscr3w3r, cartlex_, castle_chain, chaduke, debo, ether_sky, gumgumzum, imare, its_basu, jaraxxus, jasonxiale, josephdara, kodyvim, ladboy233, lanrebayode77, lsaudit, mert_eren, minhtrng, n1punp, nadin, niroh, nmirchev8, orion, peakbolt, perseverancesuccess, pfapostol, ptsanev, rvierdiiev, saneryee, shaflow2, te_aut, terrancrypt, twcctop, unsafesol, ustas, versiyonbir, windhustler, yongskiws, zhaojie, ziyou-
11.4657 USDC - $11.47
/// @notice Address for Local Router used for custom actions for different hApps.
hApps instead of dApps
/// @notice Address for Local Router used for custom actions for different dApps.
* | callOutMultiple0x2 | 1b(n) + 20b(recipient) + 4b | 32b + 32b + 32b + 32b | --- |
callOutMultiple0x2 instead of callOutMultiple = 0x2
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchPort.sol#L248-L254 No check for equal array length, could lead to array mismatch
function bridgeInMultiple( address _recipient, address[] memory _localAddresses, address[] memory _underlyingAddresses, uint256[] memory _amounts, uint256[] memory _deposits ) external override requiresBridgeAgent { // Cache Length uint256 length = _localAddresses.length; // Loop through token inputs for (uint256 i = 0; i < length;) {
check that all arrays length are equally in length
require(length == _underlyingAddresses.length, "mis-match"); require(length == _amounts.length, "mis-match"); require(length == _deposits.length, "mis-match");
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/CoreRootRouter.sol#L83 Consider adding initialize modifier to ensure the function is not called again after setting it once.
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootPort.sol#L60-L61 The code indicates a mapping from a uint256 to a bool, to show if a particular chainId is active or not, but the comment states a difference description which is mis-leading.
/// @notice Mapping from address to Bridge Agent. mapping(uint256 chainId => bool isActive) public isChainId;
Consider changing to the correct comment.
/// @notice Mapping from chainId(uint256) to bool(indicating activeness). mapping(uint256 chainId => bool isActive) public isChainId;
#0 - c4-pre-sort
2023-10-15T13:31:44Z
0xA5DF marked the issue as sufficient quality report
#1 - c4-judge
2023-10-21T13:12:09Z
alcueca marked the issue as grade-b