Canto contest - peritoflores's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 23/11/2022

Pot Size: $24,500 CANTO

Total HM: 5

Participants: 37

Period: 5 days

Judge: berndartmueller

Total Solo HM: 2

Id: 185

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 12/37

Findings: 2

Award: $73.58

QA:

grade-b

Gas:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Canto

Findings Information

🌟 Selected for report: 0xSmartContract

Also found by: Deivitto, Josiah, RaymondFam, aphak5010, cccz, cryptonue, gzeon, joestakey, keccak123, martin, peritoflores, rotcivegaf

Labels

bug

grade-b

QA (Quality Assurance)

Q-11

Awards

370.8153 CANTO - $59.89

External Links

Link to GitHub issue

QA Report for Canto (Nov-2022) by Perito Flores

[Q1] No zero address check in withdraw

The function withdraw() is missing zero address check for _recipient so it is possible to accidentally send ETH to zero address causing loss of funds

Code affected:

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/8f8fd84f1e60426a5e785d6b5b2524938271bb05/contracts/utils/Address.sol#L63

[Q2] Consider checking if the caller of `register()` and `assign()` is actually a smart contract

Maybe you could add a check to prevent EOA to call register or assign without being a smart contract.

As you are using already Oz you can perform this check in assign() and register()

if (!isContract(msg.sender) revert CallerMustbeAContract();

#0 - c4-judge
2023-01-02T12:59:39Z

berndartmueller marked the issue as grade-b

Findings Information

🌟 Selected for report: Tricko

Also found by: 0xhacksmithh, AkshaySrivastav, Awesome, Beepidibop, Deivitto, DijkstraDev, Dinesh11G, Englave, JC, Rahoz, RaymondFam, ReyAdmirado, SaeedAlipoor01988, Sathish9098, abiih, aphak5010, chaduke, chrisdior4, exolorkistis, gzeon, martin, nicobevi, oyc_109, peritoflores, rotcivegaf

Awards

84.7394 CANTO - $13.69

Labels

bug

G (Gas Optimization)

grade-b

G-24

External Links

Link to GitHub issue

Gas Report for Canto (Nov-2022) by Perito Flores

[G1] Use external instead of public for some functions

External modifier is cheaper than public so considering using external for the following functions

function register(address _recipient) public onlyUnregistered returns (uint256 tokenId) { |

function assign(uint256 _tokenId) public onlyUnregistered returns (uint256) {

function withdraw(uint256 _tokenId, address payable _recipient, uint256 _amount)

function distributeFees(uint256 _tokenId) public onlyOwner payable {

[G2] Remove zero address check for _recipient in register()

https://github.com/code-423n4/2022-11-canto/blob/2733fdd1bee73a6871c6243f92a007a0b80e4c61/CIP-001/src/Turnstile.sol#L89

First of all, the function _mint of OZ already checks that the address of recipient is different from zero so this checks is unnecessary . In addition, as I suggested in medium report, when you use _safeMint this check will not be required either.

[G3] msg.sender is cheaper than MSTORE and MREAD

https://github.com/code-423n4/2022-11-canto/blob/2733fdd1bee73a6871c6243f92a007a0b80e4c61/CIP-001/src/Turnstile.sol#L50-L52

https://github.com/code-423n4/2022-11-canto/blob/2733fdd1bee73a6871c6243f92a007a0b80e4c61/CIP-001/src/Turnstile.sol#L87

Maybe you prefer to keep code as it is for readability but accessing to msg.sender will always be cheaper than using a local variable.

While reading msg.sender will cost 2 gas every MSTORE and MREAD will cost 3 gas each

[G4] Use unchecked blocks in these lines

https://github.com/code-423n4/2022-11-canto/blob/2733fdd1bee73a6871c6243f92a007a0b80e4c61/CIP-001/src/Turnstile.sol#L137

https://github.com/code-423n4/2022-11-canto/blob/2733fdd1bee73a6871c6243f92a007a0b80e4c61/CIP-001/src/Turnstile.sol#L151

[G5] Delete onlyOwner modifier in `distributeFees`

https://github.com/code-423n4/2022-11-canto/blob/2733fdd1bee73a6871c6243f92a007a0b80e4c61/CIP-001/src/Turnstile.sol#L148

#0 - c4-judge
2022-11-29T19:37:52Z

berndartmueller marked the issue as grade-b

Canto contest - peritoflores's results

Execution layer for original work.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-11] QA Report - $59.89

Findings Information

Labels

Awards

External Links

QA Report for Canto (Nov-2022) by Perito Flores

[Q1] No zero address check in withdraw

Code affected:

[Q2] Consider checking if the caller of register() and assign() is actually a smart contract

#0 - c4-judge2023-01-02T12:59:39Z

[G-24] Gas Report - $13.69

Findings Information

Awards

Labels

External Links

Gas Report for Canto (Nov-2022) by Perito Flores

[G1] Use external instead of public for some functions

[G2] Remove zero address check for _recipient in register()

[G3] msg.sender is cheaper than MSTORE and MREAD

[G4] Use unchecked blocks in these lines

[G5] Delete onlyOwner modifier in distributeFees

#0 - c4-judge2022-11-29T19:37:52Z

[Q2] Consider checking if the caller of `register()` and `assign()` is actually a smart contract

#0 - c4-judge
2023-01-02T12:59:39Z

[G5] Delete onlyOwner modifier in `distributeFees`

#0 - c4-judge
2022-11-29T19:37:52Z