Back to leosathya's contests

VTVL contest - leosathya's results

Building no-code token management tools to empower web3 founders and investors, starting with token vesting.

General Information

Platform: Code4rena

Start Date: 20/09/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 198

Period: 3 days

Judge: 0xean

Total Solo HM: 2

Id: 164

League: ETH

VTVL

Findings Distribution

Researcher Performance

Rank: 91/198

Findings: 2

Award: $28.01

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryVTVL

Findings Information

🌟 Selected for report: AkshaySrivastav

Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xA5DF, 0xDecorativePineapple, 0xNazgul, 0xSky, 0xSmartContract, 0xbepresent, 0xf15ers, 0xmatt, 2997ms, Aeros, Aymen0909, B2, Bahurum, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, Diraco, Dravee, ElKu, Funen, IllIllI, JC, JLevick, JohnSmith, JohnnyTime, KIntern_NA, Lambda, Margaret, MasterCookie, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, SooYa, StevenL, TomJ, Tomo, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, async, ayeslick, aysha, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, cccz, ch13fd357r0y3r, chatch, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dic0de, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, gogo, got_targ, hansfriese, ignacio, ikbkln, indijanc, innertia, joestakey, karanctf, ladboy233, leosathya, lukris02, martin, medikko, millersplanet, nalus, natzuu, neko_nyaa, neumo, obront, oyc_109, pcarranzav, peanuts, pedr02b2, pedroais, peiw, peritoflores, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, rokinot, romand, rotcivegaf, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, sorrynotsorry, supernova, tibthecat, tnevler, ubermensch, yongskiws, zzykxx, zzzitron

Awards

18.9219 USDC - $18.92

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

[L-01] Use of Floating Pragma

Use of Floating(^) Pragma in Contract file VariableSupplyERC20Token.sol

There is 1 instance of this issue:

** File : token/VariableSupplyERC20Token.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/token/VariableSupplyERC20Token.sol#L2

Contracts should be deployed using the same compiler version with which they have been tested. Locking the pragma (for e.g. by not using ^ in pragma solidity 0.8.14) ensures that contracts do not accidentally get deployed using an older compiler version with unfixed bugs.

[L-02] setAdmin() Should be a 2 step process

There is 1 instance of this issue:

The critical procedures like Admin change should always be a two step process.

**File : ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/AccessProtected.sol#L39-L44

Proof Of Concept

It would be much better if we use a 2 step process for critical address change In a smartContract, like here we can create 2 functions setAdmin() and updateAdmin(). Here setAdmin() function keeps new_address in storage rather than modifying current Admin address. Then updateAdmin() functions checks whether msg.sender == new_address or not which means new Admin signs transaction and verifies himself as the new Admin, after then Admin storage will updated with new_address.

Lack of two-step procedure for critical operations leaves them error-prone. Consider adding two step procedure on the critical functions.

[L-03] Division before Multiplication

Performing multiplication before division is generally better to avoid loss of precision because Solidity integer division might truncate.

**File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L169

prefer multiplication before division. i.e Instead (a/b)c use (ac)/b this gives more accurate result

[N-01] Use msg.sender instead of _msgSender()

_msgSender() is a replacement for msg.sender. For regular transactions it returns msg.sender and for meta transactions it can be used to return the end user (rather than the relayer).

There are 12 instances of this issue:

** File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L364 ** File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L367 ** File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L371 ** File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L388 ** File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L391 ** File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L407 ** File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L410 ** File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L450 ** File : AccessProtected.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/AccessProtected.sol#L17 ** File : AccessProtected.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/AccessProtected.sol#L18 ** File : AccessProtected.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/AccessProtected.sol#L25 ** File : token/FullPremintERC20Token.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/token/FullPremintERC20Token.sol#L12 ** File : token/VariableSupplyERC20Token.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/token/VariableSupplyERC20Token.sol#L32

It is recommended to use msg.sender instead of _msgSender(), If the corresponding contract is not dealing with meta transaction, or don't have any meta transaction implementation.

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xDanielC, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 0xsam, 2997ms, AkshaySrivastav, Amithuddar, Atarpara, Aymen0909, B2, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, Diraco, Funen, JC, JLevick, JohnSmith, Junnon, KIntern_NA, Lambda, MasterCookie, Matin, Noah3o6, Ocean_Sky, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, Saintcode_, Satyam_Sharma, Sm4rty, SnowMan, SooYa, Sta1400, StevenL, Tadashi, Tagir2003, TomJ, Tomio, Tomo, V_B, Waze, WilliamAmbrozic, Yiko, __141345__, a12jmx, adriro, ajtra, ak1, async, aysha, beardofginger, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, caventa, ch0bu, cryptostellar5, cryptphi, csanuragjain, d3e4, delfin454000, dharma09, djxploit, durianSausage, eighty, emrekocak, erictee, exd0tpy, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, got_targ, hxzy, ignacio, ikbkln, imare, indijanc, jag, jpserrat, karanctf, ladboy233, leosathya, lucacez, lukris02, m9800, malinariy, martin, medikko, mics, millersplanet, mrpathfindr, nalus, natzuu, neko_nyaa, oyc_109, pauliax, peanuts, pedroais, peiw, pfapostol, prasantgupta52, rbserver, ret2basic, rokinot, rotcivegaf, rvierdiiev, sach1r0, samruna, seyni, slowmoses, subtle77, supernova, tgolding55, tibthecat, tnevler, w0Lfrum, yaemsobak, zishansami

Awards

9.0866 USDC - $9.09

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

[G-01] NO NEED TO EXPLICITLY INITIALIZE VARIABLES WITH DEFAULT VALUES

Here Uints initiaziled with 0, which is not necessary cause its by default value is zero

There is 2 instance of this issue:

**File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L27 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L148

Instead of initializing default leave them as it is. For ex : Instead of doing uint x = 0; leave them as it is uint x;

both are same, second one is more gas optimized.

[G-02] INSTEAD OF USING DUPLICATE REQUIRE(), LOGIC SHOULD ENCLOSED INSIDE A MODIFIER, AND USED WHENEVER REQUIRED

The require condition require(address(_tokenAddress) != address(0), "INVALID_ADDRESS"); used multiple times

There is 2 Instances of this issue:

**File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L82 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L255

This require() statement should enclosed inside a modifier and should used in

[G-03] >= COSTS LESS GAS THAN >

There is 4 instance of this issue:

**File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L154 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L166 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L374 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L426 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L449

Instead of using < try to use <= whenever possible

[G-04] <x> = <x> + <y> is more gas efficient than use of <x> += <y>

In many instances <x> += <y> This type of syntax are used, Those can optimized to previous one i.e <x> = <x> + <y>

There are 6 instances of this issue:

**File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L161 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L179 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L301 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L381 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L383 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L433

[G-05] INSTEAD OF USING && INSIDE REQUIRE(), IT SHOULD BE SPLIT INTO INDIVIDUALS. THIS IS MORE GAS EFFICIENT

        require(
		_startTimestamps.length == length &&
		_linearVestAmounts.length == length &&
		_cliffAmounts.length == length,
		"ARRAY_LENGTH_MISMATCH"
	);

TO require(_startTimestamps.length ,"ARRAY_LENGTH_MISMATCH"); require(_linearVestAmounts.length ,"ARRAY_LENGTH_MISMATCH"); require(_cliffAmounts.length ,"ARRAY_LENGTH_MISMATCH");

There are 2 instances of this issue:

**File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L344-L350 **File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L270-L278

[G-06] ] SHOULD OPTIMIZED FOR LOOP

There is 1 instance of this issue:

**File : VTVLVesting.sol ** => https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L353-L355

. Should not initialize uint with default value i.e uint i=0 TO uint i; . Should use ++i instead i++ . Should uncheck i++

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter