Platform: Code4rena
Start Date: 25/01/2022
Pot Size: $50,000 USDT
Total HM: 17
Participants: 39
Period: 3 days
Judge: LSDan
Total Solo HM: 9
Id: 79
League: ETH
Rank: 10/39
Findings: 3
Award: $1,597.56
π Selected for report: 2
π Solo Findings: 1
π Selected for report: pedroais
1556.9237 USDT - $1,556.92
pedroais
If penalties are set to 0 the protocol would be vulnerable to price manipulations like the one described in the contest documentation.
The protocol uses economic penalties to punish withdraws to protect against economic price manipulation attacks. If these penalties are set to 0 in the creation of a token launch the sale would be vulnerable to this kind of attack. The penalties should never be 0 for any token sale.
The economic attack that could be done with 0 penalties is detailed on page 7 of the whitepaper.
I consider this to be a medium risk since it could completely invalidate a token launch but it's still unlikely (but possible) the creators will set penalties to 0. This could be done by mistake or by the creators of the launch event to exploit it themselves.
Require penalties to be greater than 0 either in the initializer function or in the factory.
#0 - cryptofish7
2022-02-10T14:13:50Z
Disagree with severity, should be 1
#1 - dmvt
2022-02-23T13:07:52Z
I agree with the warden on risk here.
π Selected for report: pedroais
39.7792 USDT - $39.78
pedroais
Save gas
The cheaper operation should be done first to save gas . auctionStart == 0 is cheaper than block.timestamp < auctionStart https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L291
#0 - cryptofish7
2022-02-10T14:11:43Z
pedroais
!= 0 is cheaper than >0 for uint
checking if a unit != 0 is cheaper and equivalent to checking if it's greater than 0 Mitigation Steps
#0 - cryptofish7
2022-01-31T12:00:08Z
Duplicate of #240