Connext contest - s1m0's results

The interoperability protocol of L2 Ethereum.

General Information

Platform: Code4rena

Start Date: 09/07/2021

Pot Size: $25,000 USDC

Total HM: 7

Participants: 10

Period: 3 days

Judge: ghoulsol

Total Solo HM: 2

Id: 19

League: ETH

Connext

Findings Distribution

Researcher Performance

Rank: 7/10

Findings: 2

Award: $656.64

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Connext

Findings Information

🌟 Selected for report: 0xRajeev

Also found by: cmichel, gpersoon, pauliax, s1m0, shw

Labels

bug

duplicate

3 (High Risk)

sponsor confirmed

Awards

402.1396 USDC - $402.14

External Links

Link to GitHub issue

Handle

s1m0

Vulnerability details

In that block of code there are 2 external call inside a try/catch statements. In both the catch the toSend amount is transferred to the fallback receiver address effectively transferring twice if the 2 external call fail.

Impact

In the fulfill() function the fallback receiver address could get twice the toSend amount.

Tools Used

Manual analysis.

Recommended Mitigation Steps

A possible mitigation would be to return in the 1 catch and revert in the 2 catch. Consider if make sense to emit a new Event in the catch.

#0 - LayneHaber
2021-07-12T19:41:51Z

#46

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Auditors

Browse

Contests

Browse

Get in touch

Contact Twitter

Findings Information

🌟 Selected for report: s1m0

Labels

bug

G (Gas Optimization)

sponsor acknowledged

Awards

224.978 USDC - $224.98

External Links

Link to GitHub issue

Handle

s1m0

Vulnerability details

Impact

The following variables are being assigned their default value so it's not needed.

Proof of Concept

l.571
l.572

Tools Used

Manual Analysis

Recommended Mitigation Steps

Remove the assignments for saving a bit of gas when deploying.

#0 - LayneHaber
2021-07-13T17:39:35Z

We are taking out the loop in favor of the EnumerableSet from OpenZeppelin

Findings Information

🌟 Selected for report: shw

Also found by: 0xRajeev, cmichel, greiart, s1m0

Labels

bug

duplicate

G (Gas Optimization)

Awards

29.5216 USDC - $29.52

External Links

Link to GitHub issue

Handle

s1m0

Vulnerability details

Impact

Multiple require() are not needed because the constraints are implicitly checked when doing the mathematical operation in solidity > 0.8.0

Proof of Concept

l.122 implicitly checked on l.125.
l.254 implicitly checked on l.260.
l.328 implicitly checked on l.364.
l.475 implicitly checked on l.520.

Tools Used

Manual analysis

Recommended Mitigation Steps

Consider removing those require() to save some gas unless you need to revert with specific messages.

#0 - LayneHaber
2021-07-13T17:35:26Z

#74

Connext contest - s1m0's results

The interoperability protocol of L2 Ethereum.

General Information

Findings Distribution

Researcher Performance

External Links

[H-03] The fallback receiver address could get twice the toSend amount - $402.14

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Tools Used

Recommended Mitigation Steps

#0 - LayneHaber2021-07-12T19:41:51Z

Gas Report - $254.50

Gas Report - $254.50

🚀 [G-12] Assignment of variables not needed - $224.98

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - LayneHaber2021-07-13T17:39:35Z

[G-06] Multiple require() not needed - $29.52

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - LayneHaber2021-07-13T17:35:26Z

#0 - LayneHaber
2021-07-12T19:41:51Z

#0 - LayneHaber
2021-07-13T17:39:35Z

#0 - LayneHaber
2021-07-13T17:35:26Z