Putty contest - rokinot's results

An order-book based american options market for NFTs and ERC20s.

General Information

Platform: Code4rena

Start Date: 29/06/2022

Pot Size: $50,000 USDC

Total HM: 20

Participants: 133

Period: 5 days

Judge: hickuphh3

Total Solo HM: 1

Id: 142

League: ETH

Putty

Findings Distribution

Researcher Performance

Rank: 68/133

Findings: 2

Award: $68.48

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Putty

Findings Information

🌟 Selected for report: xiaoming90

Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xSolus, 0xf15ers, 0xsanson, AmitN, Bnke0x0, BowTiedWardens, Chom, David_, ElKu, Funen, GalloDaSballo, GimelSec, Hawkeye, IllIllI, JC, JohnSmith, Kaiziron, Kenshin, Lambda, Limbooo, MadWookie, Metatron, MiloTruck, Nethermind, Picodes, ReyAdmirado, Sneakyninja0129, StErMi, TomJ, Treasure-Seeker, TrungOre, Waze, Yiko, _Adam, __141345__, antonttc, async, aysha, catchup, cccz, cryptphi, csanuragjain, danb, datapunk, defsec, delfin454000, dirk_y, doddle0x, durianSausage, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hubble, itsmeSTYJ, joestakey, oyc_109, pedroais, peritoflores, rajatbeladiya, reassor, robee, rokinot, samruna, saneryee, sashik_eth, shenwilly, shung, simon135, sseefried, unforgiven, zer0dot, zzzitron

Awards

47.1473 USDC - $47.15

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

Summary

A single low / non-critical vulnerability was found.

`cancel()` can cancel the same order multiple times

L#526

Impact

Users could mistakenly cancel their orders multiple times, wasting funds in the meantime.

Recommended Mitigation Steps

A simple fix is adding a requirement to check if the order has been cancelled already, as seen below. The off-chain provider could also possibly mitigate this issue on their front end, although this is unknown.

require(msg.sender == order.maker, "Not your order");

bytes32 orderHash = hashOrder(order);

require(cancelledOrders[orderHash], "Order already cancelled");

// mark the order as cancelled
cancelledOrders[orderHash] = true;

emit CancelledOrder(orderHash, order);

Findings Information

🌟 Selected for report: GalloDaSballo

Also found by: 0v3rf10w, 0x1f8b, 0xA5DF, 0xDjango, 0xHarry, 0xKitsune, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xkatana, 0xsanson, ACai, Aymen0909, Bnke0x0, BowTiedWardens, Chom, ElKu, Fitraldys, Funen, Haruxe, Hawkeye, IllIllI, JC, JohnSmith, Kaiziron, Kenshin, Lambda, Limbooo, MadWookie, Metatron, MiloTruck, Picodes, PwnedNoMore, Randyyy, RedOneN, ReyAdmirado, Ruhum, Sm4rty, StErMi, StyxRave, TerrierLover, TomJ, Tomio, UnusualTurtle, Waze, Yiko, _Adam, __141345__, ajtra, ak1, apostle0x01, asutorufos, c3phas, cRat1st0s, catchup, codetilda, cryptphi, datapunk, defsec, delfin454000, durianSausage, exd0tpy, fatherOfBlocks, gogo, grrwahrr, hake, hansfriese, horsefacts, ignacio, jayfromthe13th, joestakey, ladboy233, m_Rassska, mektigboy, minhquanym, mrpathfindr, natzuu, oyc_109, rajatbeladiya, reassor, rfa, robee, rokinot, sach1r0, saian, sashik_eth, simon135, slywaters, swit, z3s, zeesaw, zer0dot

Awards

21.3338 USDC - $21.33

Labels

bug

G (Gas Optimization)

External Links

Link to GitHub issue

Constant variables only used inside the scope of the contract should be downgraded from public to private.

#L90 #L95 #L101

`setBaseURI()` and `setFee()` can be inlined in the constructor in order to remove JUMP opcodes, decreasing gas.

#L209-219

setBaseURI(_baseURI); setFee(_fee); weth = _weth;

<= is cheaper than < due to lower checks. this optimization will keep the contract's logic intact.

#L287

L#498

In this case, >=1 is functionally identical to >0.

!= 0 checks are cheaper than > 0 checks with the optimizer on.

#L293

`require()` becomes cheaper if the error message has less than 32 characters.

L#398 L#401

e.g. "Must be a long position"

Do not initialize variables if you will assign them as 0 since they start at 0 by default.

L#497 L#594 L#611 L#627 L#637 L#647 L#658 L#670 L#728 L#742

Putty contest - rokinot's results

An order-book based american options market for NFTs and ERC20s.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-64] QA Report - $47.15

Findings Information

Awards

Labels

External Links

Summary

cancel() can cancel the same order multiple times

Impact

Recommended Mitigation Steps

[G-75] Gas Report - $21.33

Findings Information

Awards

Labels

External Links

Constant variables only used inside the scope of the contract should be downgraded from public to private.

setBaseURI() and setFee() can be inlined in the constructor in order to remove JUMP opcodes, decreasing gas.

<= is cheaper than < due to lower checks. this optimization will keep the contract's logic intact.

!= 0 checks are cheaper than > 0 checks with the optimizer on.

require() becomes cheaper if the error message has less than 32 characters.

Do not initialize variables if you will assign them as 0 since they start at 0 by default.

<array>.length should be cached

the loop iterator ++i is cheaper than i++

iterators should be left unchecked as they have no risk of overflowing.

!= comparisons for uint will consume less gas than >

`cancel()` can cancel the same order multiple times

`setBaseURI()` and `setFee()` can be inlined in the constructor in order to remove JUMP opcodes, decreasing gas.

`require()` becomes cheaper if the error message has less than 32 characters.

`<array>.length` should be cached

the loop iterator `++i` is cheaper than `i++`

`!=` comparisons for `uint` will consume less gas than `>`