Back to lucacez's contests

Axelar Network v2 contest - lucacez's results

Decentralized interoperability network.

General Information

Platform: Code4rena

Start Date: 29/07/2022

Pot Size: $50,000 USDC

Total HM: 6

Participants: 75

Period: 5 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 149

League: ETH

Axelar Network

Findings Distribution

Researcher Performance

Rank: 26/75

Findings: 2

Award: $89.05

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAxelar Network

Findings Information

🌟 Selected for report: oyc_109

Also found by: 0x1f8b, 0x52, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, IllIllI, JC, Lambda, Noah3o6, NoamYakov, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Twpony, Waze, Yiko, __141345__, ajtra, apostle0x01, ashiq0x01, asutorufos, bardamu, benbaessler, berndartmueller, bharg4v, bulej93, c3phas, cccz, ch13fd357r0y3r, codexploder, cryptonue, cryptphi, defsec, djxploit, durianSausage, fatherOfBlocks, gogo, hansfriese, horsefacts, ignacio, kyteg, lucacez, mics, rbserver, robee, sashik_eth, simon135, sseefried, tofunmi, xiaoming90

Awards

57.1696 USDC - $57.17

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

MISSING CHECKS FOR ADDRESS(0X0) WHEN ASSIGNING VALUES TO ADDRESS STATE VARIABLES

1- File: contracts/deposit-service/AxelarDepositService.sol (line 19)

        receiverImplementation = address(new ReceiverImplementation(gateway, wrappedSymbol));

2- File: contracts/deposit-service/AxelarDepositService.sol (line 27)

                gatewayAddress = gatewayAddress_;

CONST/INMUTABLE variables must be written in uppercase letters

1- File: contracts/deposit-service/AxelarDepositService.sol (line 16)

    address public immutable receiverImplementation;

2- File: contracts/deposit-service/DepositBase.sol (line 13)

    address public immutable gateway;

3- File: contracts/deposit-service/DepositBase.sol (line 14)

    bytes32 internal immutable wrappedSymbolBytes;

4- File: xc20/contracts/XC20Wrapper.sol (line 24)

    address public immutable gatewayAddress;

USE A MORE RECENT VERSION OF SOLIDITY

Use a solidity version of at least 0.8.12 to get string.concat() to be used instead of abi.encodePacked(<str>,<str>)

#0 - re1ro

2022-08-05T03:37:14Z

1

Dup #3

2

Ack

3

Dup #3

#1 - GalloDaSballo

2022-09-01T00:14:11Z

MISSING CHECKS FOR ADDRESS(0X0) WHEN ASSIGNING VALUES TO ADDRESS STATE VARIABLES

L

CONST/INMUTABLE variables must be written in uppercase letters

R

USE A MORE RECENT VERSION OF SOLIDITY

NC

1L 1R 1NC

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0xNazgul, 0xsam, 8olidity, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Fitraldys, JC, Lambda, MiloTruck, Noah3o6, NoamYakov, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Tomio, Waze, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, benbaessler, bharg4v, bulej93, c3phas, defsec, djxploit, durianSausage, erictee, fatherOfBlocks, gerdusx, gogo, kyteg, lucacez, medikko, mics, owenthurm, oyc_109, rbserver, robee, sashik_eth, simon135, tofunmi

Awards

31.8812 USDC - $31.88

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

++I/I++ SHOULD BE UNCHECKED{++I}/UNCHECKED{++I} WHEN IT IS NOT POSSIBLE FOR THEM TO OVERFLOW, AS IS THE CASE WHEN USED IN FOR- AND WHILE-LOOPS

1- File: contracts/AxelarGateway.sol (line 195)

        for (uint256 i; i < adminCount; ++i) {

2- File: contracts/AxelarGateway.sol (line 207)

        for (uint256 i = 0; i < symbols.length; i++) {

3- File: contracts/AxelarGateway.sol (line 292)

        for (uint256 i; i < commandsLength; ++i) {

4- File: contracts/gas-service/AxelarGasService.sol (line 123)

        for (uint256 i; i < tokens.length; i++) {

5- File: contracts/deposit-service/AxelarDepositService.sol (line 114)

        for (uint256 i; i < refundTokens.length; i++) {

6- File: contracts/deposit-service/AxelarDepositService.sol (line 168)

        for (uint256 i; i < refundTokens.length; i++) {

7- File: contracts/deposit-service/AxelarDepositService.sol (line 204)

        for (uint256 i; i < refundTokens.length; i++) {

8- File: contracts/auth/AxelarAuthWeighted.sol (line 17)

        for (uint256 i; i < recentOperators.length; ++i) {

9- File: contracts/auth/AxelarAuthWeighted.sol (line 69)

        for (uint256 i = 0; i < weightsLength; ++i) {

10- File: contracts/auth/AxelarAuthWeighted.sol (line 98)

        for (uint256 i = 0; i < signatures.length; ++i) {

11- File: contracts/auth/AxelarAuthWeighted.sol (line 116)

        for (uint256 i; i < accounts.length - 1; ++i) {

++I COSTS LESS GAS THAN I++, ESPECIALLY WHEN IT’S USED IN FOR-LOOPS (--I/I-- TOO)

1- File: contracts/AxelarGateway.sol (line 207)

        for (uint256 i = 0; i < symbols.length; i++) {

2- File: contracts/gas-service/AxelarGasService.sol (line 123)

        for (uint256 i; i < tokens.length; i++) {

3- File: contracts/deposit-service/AxelarDepositService.sol (line 114)

        for (uint256 i; i < refundTokens.length; i++) {

4- File: contracts/deposit-service/AxelarDepositService.sol (line 168)

        for (uint256 i; i < refundTokens.length; i++) {

5- File: contracts/deposit-service/AxelarDepositService.sol (line 204)

        for (uint256 i; i < refundTokens.length; i++) {

<ARRAY>.LENGTH SHOULD NOT BE LOOKED UP IN EVERY LOOP OF A FOR-LOOP

Even memory arrays incur the overhead of bit tests and bit shifts to calculate the array length

1- File: contracts/AxelarGateway.sol (line 207)

        for (uint256 i = 0; i < symbols.length; i++) {

2- File: contracts/gas-service/AxelarGasService.sol (line 123)

        for (uint256 i; i < tokens.length; i++) {

3- File: contracts/deposit-service/AxelarDepositService.sol (line 114)

        for (uint256 i; i < refundTokens.length; i++) {

4- File: contracts/deposit-service/AxelarDepositService.sol (line 168)

        for (uint256 i; i < refundTokens.length; i++) {

5- File: contracts/deposit-service/AxelarDepositService.sol (line 204)

        for (uint256 i; i < refundTokens.length; i++) {

6- File: contracts/auth/AxelarAuthWeighted.sol (line 17)

        for (uint256 i; i < recentOperators.length; ++i) {

7- File: contracts/auth/AxelarAuthWeighted.sol (line 98)

        for (uint256 i = 0; i < signatures.length; ++i) {

8- File: contracts/auth/AxelarAuthWeighted.sol (line 116)

        for (uint256 i; i < accounts.length - 1; ++i) {

IT COSTS MORE GAS TO INITIALIZE NON-CONSTANT/NON-IMMUTABLE VARIABLES TO ZERO THAN TO LET THE DEFAULT OF ZERO BE APPLIED

Not overwriting the default for stack variables saves 8 gas. Storage and memory variables have larger savings

1- File: contracts/AxelarGateway.sol (line 207)

        for (uint256 i = 0; i < symbols.length; i++) {

2- File: contracts/auth/AxelarAuthWeighted.sol (line 69)

        for (uint256 i = 0; i < weightsLength; ++i) {

3- File: contracts/auth/AxelarAuthWeighted.sol (line 98)

        for (uint256 i = 0; i < signatures.length; ++i) {

<X> += <Y> COSTS MORE GAS THAN <X> = <X> + <Y> FOR STATE VARIABLES

There are 2 instances of this issue:

File: contracts/auth/AxelarAuthWeighted.sol

70:             totalWeight += newWeights[i];

105:           weight += weights[operatorIndex];

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol

#0 - re1ro

2022-08-05T03:37:37Z

Dup #2

#1 - GalloDaSballo

2022-08-23T00:52:16Z

Less than 300

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter