Platform: Code4rena
Start Date: 22/09/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 175
Period: 14 days
Judge: alcueca
Total Solo HM: 4
Id: 287
League: ETH
Rank: 119/175
Findings: 1
Award: $25.68
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0xAadi, 0xDING99YA, 0xDemon, 0xRstStn, 0xSmartContract, 0xStriker, 0xWaitress, 0xbrett8571, 0xfuje, 0xsagetony, 0xsurena, 33BYTEZZZ, 3docSec, 7ashraf, ABA, ABAIKUNANBAEV, Aamir, Audinarey, Bauchibred, Black_Box_DD, Daniel526, DanielArmstrong, DanielTan_MetaTrust, Dinesh11G, Eurovickk, Franklin, Inspecktor, John, Jorgect, Joshuajee, K42, Kek, Koolex, LokiThe5th, MIQUINHO, Myd, NoTechBG, QiuhaoLi, SanketKogekar, Sathish9098, Sentry, Soul22, SovaSlava, Stormreckson, Tendency, Topmark, Udsen, V1235816, Viktor_Cortess, Viraz, Yanchuan, ZdravkoHr, Zims, albahaca, albertwh1te, alexweb3, alexxander, ast3ros, audityourcontracts, bareli, bin2chen, bronze_pickaxe, c0pp3rscr3w3r, cartlex_, castle_chain, chaduke, debo, ether_sky, gumgumzum, imare, its_basu, jaraxxus, jasonxiale, josephdara, kodyvim, ladboy233, lanrebayode77, lsaudit, mert_eren, minhtrng, n1punp, nadin, niroh, nmirchev8, orion, peakbolt, perseverancesuccess, pfapostol, ptsanev, rvierdiiev, saneryee, shaflow2, te_aut, terrancrypt, twcctop, unsafesol, ustas, versiyonbir, windhustler, yongskiws, zhaojie, ziyou-
25.6785 USDC - $25.68
[L-01] - use abi.encodeCall instead of abi.encodeWithSelector for more type safety.
[L-02] - use create2 or add msg.sender as the salt in factory contracts during deployment to achieve determinicity and avoid re-org attacks, mainly on Polygon
[L-03] - direct usage of callOutAndBridge and callOutAndBridgeMultiple from the branch agents would revert due to no allowance and eat user gas. Put some kind of access control so that these functions are only callable by routers, which do the necessary approvals beforehand.
[L-04] - in VirtualAccount calling payableCall with more native token will revert instead of simply refunding the excess, being unfavorable for the caller who will lose his gas, since the revert occurs after the loop
[L-05] - no 0 address checks for the _refundee addresses
#0 - c4-pre-sort
2023-10-15T13:31:15Z
0xA5DF marked the issue as sufficient quality report
#1 - 0xA5DF
2023-10-15T13:31:19Z
L1 is in bot report
#2 - c4-judge
2023-10-21T13:11:44Z
alcueca marked the issue as grade-a