Platform: Code4rena
Start Date: 09/09/2022
Pot Size: $42,000 USDC
Total HM: 2
Participants: 101
Period: 3 days
Judge: hickuphh3
Total Solo HM: 2
Id: 161
League: ETH
Rank: 43/101
Findings: 1
Award: $33.58
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0x040, 0x1f8b, 0x4non, 0x52, 0x85102, 0xNazgul, 0xSky, 0xSmartContract, Aymen0909, Bnke0x0, CertoraInc, Chandr, Chom, CodingNameKiki, Deivitto, Diana, Funen, JC, Jeiwan, Junnon, KIntern_NA, Lambda, Mohandes, Noah3o6, Ocean_Sky, Picodes, R2, Randyyy, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Samatak, Sm4rty, SnowMan, SooYa, StevenL, Tagir2003, Tointer, TomJ, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, bharg4v, bobirichman, brgltd, c3phas, cccz, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dipp, djxploit, durianSausage, erictee, fatherOfBlocks, gogo, got_targ, hansfriese, horsefacts, hyh, ignacio, innertia, izhuer, karanctf, ladboy233, leosathya, lucacez, lukris02, mics, oyc_109, pashov, pauliax, prasantgupta52, rbserver, ret2basic, rfa, robee, rokinot, rotcivegaf, rvierdiiev, sach1r0, scaraven, sikorico, simon135, smiling_heretic, sorrynotsorry, unforgiven, wagmi, yixxas
33.5761 USDC - $33.58
Consider changing the order of the following instances math operators such that multiplications comes before divisions to improve calculation precision with no cost.
Use openzeppelin safeTransfer() method instead of transfer() in the following locations.
Missing checks for zero-addresses may lead to infunctional protocol. In this case the function is an initializer then the value can be passed only once and is important to be validated. If the variable addresses are updated incorrectly.
For instance, TribalChief.sol#L140
There is no check for the access to be in the array bounds.
The following calls ignores the return value of the called function that might indicate the the call failed.
It is good to have a timelock for functions that set key/critical variables.
Some tokens (like USDT L199) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.
You should use safe math for solidity version <8 since there is no default over/under flow check it those versions.'
For instance, DSTest.sol
The following condition statements are based on block number that can be manipulated by a malicious miner.
Some contracts does not support 0 transfer, then the transaction will revert with no explanation. We recommend to add a require statement that the amount is not 0.
The process of transferring ownership is dangerous since typing the wrong address can lead to severe implications. It is better to have to steps verification process with set and claim functions to decrease the chances of human error. Consider changing to two steps verification process of transferring privileges. Human mistakes can happen.
According to the ERC20 specs, the approve function is allowed to return a success value, that may be negative. Same as transfer return value, approve return value should be handled.
A state variable of type 'address' is set without a non-zero verification. This can lead to undesired behavior.
I didn't see a use of using payable in the following functions, consider changing it.
Using both named returns and a return statement isn't necessary. Removing one of those can improve code clarity.
To record the initialize parameters for off-chain monitoring and transparency reasons, you might find it useful to emit an event after the initialize() functions
A good practice is to use constant variables instead of hardcoded strings in the code.
When changing state variables events are not emitted. Emitting events allows monitoring activities with off-chain monitoring tools.
--
#0 - HickupHH3
2022-10-08T08:14:51Z
most of the issues mentioned had files that were OOS. spray and pray something sticks report style is frankly a waste of the sponsor and judge's time.