PartyDAO contest - leosathya's results

A protocol for buying, using, and selling NFTs as a group.

General Information

Platform: Code4rena

Start Date: 12/09/2022

Pot Size: $75,000 USDC

Total HM: 19

Participants: 110

Period: 7 days

Judge: HardlyDifficult

Total Solo HM: 9

Id: 160

League: ETH

PartyDAO

Findings Distribution

Researcher Performance

Rank: 39/110

Findings: 2

Award: $118.20

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PartyDAO

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xDanielC, 0xNazgul, 0xSmartContract, 0xbepresent, Anth3m, Aymen0909, B2, CRYP70, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Funen, JC, JansenC, Jeiwan, KIntern_NA, MasterCookie, MiloTruck, Olivierdem, PaludoX0, R2, RaymondFam, ReyAdmirado, StevenL, The_GUILD, Tomo, Trust, V_B, __141345__, asutorufos, ayeslick, bin2chen, brgltd, bulej93, c3phas, cccz, ch0bu, cryptphi, csanuragjain, d3e4, delfin454000, djxploit, erictee, fatherOfBlocks, gogo, hansfriese, indijanc, ladboy233, leosathya, lukris02, malinariy, martin, pedr02b2, pfapostol, rvierdiiev, slowmoses, smiling_heretic, tnevler, wagmi

Awards

82.8364 USDC - $82.84

Labels

bug

low quality report

QA (Quality Assurance)

sponsor acknowledged

External Links

Link to GitHub issue

[L-01] FLOATING PRAGMA USED, PRAGMA SHOULD LOCKED

Contracts should be deployed using the same compiler version/flags with which they have been tested. Locking the pragma (for e.g. by not using ^ in pragma solidity 0.8) ensures that contracts do not accidentally get deployed using any other compiler version with unfixed bugs.

There are 24 instance of this issue:

File : crowdfund/AuctionCrowdfund.sol => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/AuctionCrowdfund.sol#L02

**File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/BuyCrowdfund.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CollectionBuyCrowdfund.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CrowdfundFactory.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CrowdfundNFT.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/renderers/CrowdfundNFTRenderer.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/renderers/PartyGovernanceNFTRenderer.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/renderers/CrowdfundNFTRenderer.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ArbitraryCallsProposal.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/FractionalizeProposal.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ProposalExecutionEngine.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnZoraProposal.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnOpenseaProposal.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L02 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/globals/Globals.sol#L02

Mitigation

Should lock Pragma Version

[L-02] ABSENCE OF ZERO ADDRESS CHECK

There are 22 instance of this issue:

**File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CrowdfundFactory.sol#L26 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L119 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CrowdfundNFT.sol#L35 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/renderers/CrowdfundNFTRenderer.sol#L22 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/renderers/PartyGovernanceNFTRenderer.sol#L44 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/renderers/CrowdfundNFTRenderer.sol#L22 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L94 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L100 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L119 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L121 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/FractionalizeProposal.sol#L35 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ProposalExecutionEngine.sol#L94 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnZoraProposal.sol#L71 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnZoraProposal.sol#L72 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnOpenseaProposal.sol#L114-L116 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L267 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/globals/Globals.sol#L24 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/globals/Globals.sol#L28

Mitigation

Should make zero address check before assigning parameter to state variable

[L-03] ADD CONSTRUCTOR INITIALIZERS

As per OpenZeppelin’s (OZ) recommendation, “The guidelines are now to make it impossible for anyone to run initialize on an implementation contract, by adding an empty constructor with the initializer modifier. So the implementation contract gets initialized automatically upon deployment.”

Or Should add Initializer modifier to _initialize() function

There are 4 instance of this issue:

**File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L124 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CrowdfundNFT.sol#L41 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ProposalExecutionEngine.sol#L99 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L271

[L-04] _SAFEMINT() SHOULD BE USED RATHER THAN _MINT() WHEREVER POSSIBLE

**File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L480

###[N-01] SHOULD RETURN A NAMED RETURN VALUE

**File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/renderers/PartyGovernanceNFTRenderer.sol#L90 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/renderers/PartyGovernanceNFTRenderer.sol#L110 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/renderers/PartyGovernanceNFTRenderer.sol#L175

Findings Information

🌟 Selected for report: CertoraInc

Also found by: 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xNazgul, 0xSmartContract, 0xkatana, Amithuddar, Aymen0909, B2, Bnke0x0, CRYP70, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diraco, Fitraldys, Funen, IgnacioB, JAGADESH, JC, Lambda, LeoS, Matin, Metatron, MiloTruck, Noah3o6, Ocean_Sky, Olivierdem, PaludoX0, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Saintcode_, Sm4rty, SnowMan, StevenL, Tomio, Tomo, V_B, Waze, __141345__, ajtra, asutorufos, aysha, brgltd, bulej93, c3phas, ch0bu, d3e4, delfin454000, dharma09, djxploit, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, got_targ, ignacio, jag, karanctf, ladboy233, leosathya, lukris02, m_Rassska, malinariy, martin, natzuu, pashov, peanuts, peiw, pfapostol, prasantgupta52, robee, simon135, slowmoses, sryysryy, tnevler

Awards

35.3567 USDC - $35.36

Labels

bug

G (Gas Optimization)

low quality report

sponsor acknowledged

External Links

Link to GitHub issue

[G-01] >= COSTS LESS GAS THAN >

There is 10 instance of this issue:

File : crowdfund/AuctionCrowdfund.sol => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/AuctionCrowdfund.sol#L172 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L167 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L335 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnZoraProposal.sol#L103 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnZoraProposal.sol#L188 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L280 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L283 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L433-L435 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L682 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L754

[G-02] <x> += <y> costs more gas than <x> = <x> + <y> for state variables

There is 10 instance of this issue:

**File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L243 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L352 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L355 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L359 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L411 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L427 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L381 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ArbitraryCallsProposal.sol#L72 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L596 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L960

[G-03] STATE VARIABLE CALL THAT COULD BE CACHED

here inside contract ListOnOpeanSeaProposal.sol fees.length called multiple times that could be cached in momory

**File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnOpenseaProposal.sol#L271 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnOpenseaProposal.sol#L283 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ListOnOpenseaProposal.sol#L291

[G-04] SHOULD OPTIMIZED FOR LOOP

There is 11 instance of this issue:

**File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CollectionBuyCrowdfund.sol#L62 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L180 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L242 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L300 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L348 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L230 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L239 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ArbitraryCallsProposal.sol#L52 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ArbitraryCallsProposal.sol#L61 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/ArbitraryCallsProposal.sol#L78 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L306

. Should not initialize uint with default value i.e uint i=0 TO uint i; . Should cached the length function to memory stack then used that memory variable for loop condition check . Should use ++i instead i++ . Should uncheck i++

[G-05] DIVISION BY TWO SHOULD USE BIT SHIFTING

<x> / 2 is the same as <x> >> 1. The DIV opcode costs 5 gas, whereas SHR only costs 3 gas

There are 1 instances of this issue. https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L434

[G-06] USE UINTS INSTEAD OF BOOL AS ON CHANGING STATE IT COSTS LESS GAS

// Booleans are more expensive than uint256 or any type that takes up a full
// word because each write operation emits an extra SLOAD to first read the
// slot's contents, replace the bits taken up by the boolean, and then write
// back. This is the compiler's defense against contract upgrades and
// pointer aliasing, and it cannot be disabled.

Use uint256(1) and uint256(2) for bool values

**File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L30 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L207 **File : ** => https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/globals/Globals.sol#L12

PartyDAO contest - leosathya's results

A protocol for buying, using, and selling NFTs as a group.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-58] QA Report - $82.84

Findings Information

Awards

Labels

External Links

[L-01] FLOATING PRAGMA USED, PRAGMA SHOULD LOCKED

Mitigation

[L-02] ABSENCE OF ZERO ADDRESS CHECK

Mitigation

[L-03] ADD CONSTRUCTOR INITIALIZERS

[L-04] _SAFEMINT() SHOULD BE USED RATHER THAN _MINT() WHEREVER POSSIBLE

[G-42] Gas Report - $35.36

Findings Information

Awards

Labels

External Links

[G-01] >= COSTS LESS GAS THAN >

[G-02] <x> += <y> costs more gas than <x> = <x> + <y> for state variables

[G-03] STATE VARIABLE CALL THAT COULD BE CACHED

[G-04] SHOULD OPTIMIZED FOR LOOP

[G-05] DIVISION BY TWO SHOULD USE BIT SHIFTING

[G-06] USE UINTS INSTEAD OF BOOL AS ON CHANGING STATE IT COSTS LESS GAS