Platform: Code4rena
Start Date: 06/09/2022
Pot Size: $90,000 USDC
Total HM: 33
Participants: 168
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 10
Id: 157
League: ETH
Rank: 80/168
Findings: 2
Award: $107.81
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Lambda
Also found by: 0x1337, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 8olidity, Aymen0909, B2, Bnke0x0, CRYP70, Captainkay, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, ElKu, EthLedger, Franfran, Funen, GimelSec, JansenC, Jeiwan, Jujic, Lead_Belly, MEP, MasterCookie, MiloTruck, Noah3o6, PPrieditis, PaludoX0, Picodes, PwnPatrol, R2, Randyyy, RaymondFam, Respx, ReyAdmirado, Rolezn, Samatak, Tointer, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ak1, asutorufos, azephiar, ballx, bharg4v, bin2chen, bobirichman, brgltd, bulej93, c3phas, cccz, ch0bu, cloudjunky, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, davidbrai, delfin454000, dharma09, dic0de, dipp, djxploit, eierina, erictee, fatherOfBlocks, gogo, hansfriese, hyh, imare, indijanc, izhuer, jonatascm, ladboy233, leosathya, lucacez, lukris02, m9800, martin, minhtrng, ne0n, neumo, oyc_109, p_crypt0, pashov, pauliax, pcarranzav, pedr02b2, peritoflores, pfapostol, rbserver, ret2basic, robee, rvierdiiev, sach1r0, sahar, scaraven, sikorico, simon135, slowmoses, sorrynotsorry, tnevler, tonisives, volky, yixxas, zkhorse, zzzitron
62.1937 USDC - $62.19
Constructors should check the address written in an immutable address variable is not the zero address
There is 10 instance of this issue:
File : Token.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L30-L31
File : Manager.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/manager/Manager.sol#L62-L66
File : Treasury.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/treasury/Treasury.sol#L33
File : Governer.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L41-L43
File : Auction.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L40-L41
check for zero address
Should check the addresses before assigning them to state variables
There is 2 instance of this issue:
File : Token.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L65-L66
File : Governer.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L41-L43
File : Auction.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L79
check for zero address
_addFounder() used Nested For loops on Dynamic Array inside which forther internal function calls occur which makes state change, This is quite gas consuming, if length of Dynamic Array will too long, then it leads to Block gas limit exceed condition.
There is 1 instance of this issue:
File : Token.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L71-L125
. Use Small size array as Input . Make a Boundary for input array length
_mint() is discouraged in favor of _safeMint() which ensures that the recipient is either an EOA or implements IERC721Receiver. Both OpenZeppelin and solmate have versions of this function
There is 1 instance of this issue:
File : Token.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L161
Use SafeMint function.
_authorizeUpgrade() function is just blank block which doing nothing, At least it should emit a events when Implemented address changes
File : Manager.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/manager/Manager.sol#L209-L210
3 dynamic array are take as input parameter and then used in a For loop, There is no code syntax for checking 3 arrays are of same length or not. As a Human error Owner can copy paste array of different length that ultimately result in function fail.
File : Treasury.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/treasury/Treasury.sol#L141-L172
Should have condition to check that all arrays have same length.
Use OpenZeppelin’s ECDSA contract rather than calling ecrecover() directly
There is 1 instance of this issue:
File : Governer.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L236
uint check absent for _reservePrice, during initialization in Auction contract, which can be set to 0 at the time of initialization
File : Auction.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L78
In Auction contract critical settings (Important variables regarding auction) can be changed by owner anytime using functions like setDuration(), setReservePrice(), setTimeBuffer(), setMinimumBidIncrement()
File : Auction.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L307-L311 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L315-L319 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L323-L327 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L331-L335
There should be some governace system with a Timelock feature, that gives Audience to make their decisions
No check presents for input parameter percentage in function setMinimumBidIncrement(), that could be Any orbitary amount. This could lead to a Front-Running case,
File : Auction.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L331-L335
There should be a Timelock feature for changing critical feature like this, that gives Audience to make their decisions
Their is no check for return value of IWETH.transfer that could lead to the Eth loss for bidder in Auction contract.
File : Auction.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L363
There should be a return value check present for IWETH.transfer More important here Contract using Pushing instaed of Pulling which can lead to DoS if attacker intend to so, and he will lose his fund
#0 - GalloDaSballo
2022-09-27T00:25:47Z
L
R (graceful error)
L
L
Not upgrading as I believe the report doesn't capture the risk other mentioned
Not mentioned I disagree with
3L 1R
🌟 Selected for report: pfapostol
Also found by: 0x1f8b, 0x4non, 0x5rings, 0xA5DF, 0xSmartContract, 0xc0ffEE, 0xkatana, Aymen0909, Bnke0x0, CertoraInc, Chandr, CodingNameKiki, Cr4ckM3, Deivitto, DimSon, Franfran, JAGADESH, JC, Jeiwan, Lambda, LeoS, Matin, Metatron, Migue, MiloTruck, PPrieditis, PaludoX0, R2, RaymondFam, Respx, ReyAdmirado, Rolezn, Saintcode_, Samatak, SnowMan, StevenL, Tointer, TomJ, Tomo, WatchDogs, Waze, _Adam, __141345__, ajtra, asutorufos, ballx, brgltd, bulej93, c3phas, ch0bu, dharma09, djxploit, durianSausage, easy_peasy, fatherOfBlocks, gianganhnguyen, gogo, imare, leosathya, lucacez, martin, oyc_109, pauliax, peiw, prasantgupta52, ret2basic, rfa, robee, sikorico, simon135, tofunmi, volky, wagmi, zishansami
45.6207 USDC - $45.62
There is 4 instance of this issue:
File : Token.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L88
File : Governer.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#280 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#285 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#290
for example ::
if ((totalOwnership += uint8(founderPct)) > 100) revert INVALID_FOUNDER_OWNERSHIP();
if ((totalOwnership = totalOwnership + uint8(founderPct)) > 100) revert INVALID_FOUNDER_OWNERSHIP();
The compiler uses opcodes GT and ISZERO for solidity code that uses >, but only requires LT for >=, which saves 3 gas
There is 5 instance of this issue:
File : Auction.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L106 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L122 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L141 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L346
File : Governer.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#128
Here "founder" variable first initialized to its default value, then after again changed to other value and checked in if condition
File : Manager.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/manager/Manager.sol#L114-L117
address founder; if ((founder = _founderParams[0].wallet) == address(0)) revert FOUNDER_REQUIRED();
address founder = _founderParams[0].wallet; if ((founder) == address(0)) revert FOUNDER_REQUIRED();
File : Governer.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L195 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L117-L120
Booleans are more expensive than uint256 or any type that takes up a full word because each write operation emits an extra SLOAD to first read the slot's contents, replace the bits taken up by the boolean, and then write back. This is the compiler's defense against contract upgrades and pointer aliasing, and it cannot be disabled.
Use uint256(1) and uint256(2) for true/false to avoid a Gwarmaccess (100 gas) for the extra SLOAD, and to avoid Asset (20000 gas) when changing from ‘false’ to ‘true’, after having been ‘true’ in the past
File : Governer.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L264
Use uint256 in hasVoted mapping instead bool
hashProposal() code repeated in 2 contract files
File : Treasury.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/treasury/Treasury.sol#L98-L105
File : Governer.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L101-L108
shift these code of hashProposal() to a separate library, and this library in above contract files
The code should be refactored such that they no longer exist, or the block should do something useful, such as emitting an event or reverting.
_authorizeUpgrade() function is just blank block which doing nothing, At least it should emit a events when Implemented address changes
File : Manager.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/manager/Manager.sol#L209-L210
If a function modifier such as onlyOwner is used, the function will revert if a normal user tries to pay the function. Marking the function as payable will lower the gas cost for legitimate callers because the compiler will not include checks for whether a payment was provided.
File : Governer.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#564 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#572 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#580 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#588 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#596 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#605
File : Treasury.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/treasury/Treasury.sol#L98-L116 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/treasury/Treasury.sol#L98-L180
File : Manager.sol https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/manager/Manager.sol#L187 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/manager/Manager.sol#L196 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/manager/Manager.sol#L209
#0 - GalloDaSballo
2022-09-26T20:04:59Z
500 for the memory in external arrays, rest is misguided