Platform: Code4rena
Start Date: 25/11/2021
Pot Size: $80,000 USDC
Total HM: 35
Participants: 32
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 27
Id: 59
League: ETH
Rank: 28/32
Findings: 2
Award: $155.86
🌟 Selected for report: 1
🚀 Solo Findings: 0
sabtikw
Detailed description of the impact of this finding.
zero address check is not present in the functions partialWithdrawGAS and emergencyWithdrawGas destination which could lead to loss of funds
Permissions.sol L#88-110
manual review
add zero address check in the functions partialWithdrawGAS, and emergencyWithdrawGas for destination.
#0 - 0xScotch
2021-12-10T01:12:17Z
#64
#1 - GalloDaSballo
2022-01-22T14:40:51Z
Duplicate of #64
🌟 Selected for report: sabtikw
56.5245 USDC - $56.52
sabtikw
storage variables are initialized in the contract and overwritten in the initializer function.
Auction.sol L#89 L#164 auctionLength AuctionBurnReserveSkew.sol L#25 auctionAverageLookback MaltDataLab.sol L#69 priceTarget
manual review
remove initialization outside of initializer function
#0 - GalloDaSballo
2021-12-31T14:40:14Z
This could be even worse @0xScotch , please note that for upgradeable contracts, default values set inline will default to 0 / false / 0x as the proxy you'll be using won't go through setting those default values
#1 - GalloDaSballo
2021-12-31T15:48:41Z
@0xScotch after careful review, I believe you need to urgently change the initialize function to set the default values.
If you use any proxy, those values will be set to 0.
Because initialize doesn't set them again, this can be dramattic
#2 - GalloDaSballo
2021-12-31T16:45:18Z
The warden didn't catch the higher severity finding so am leaving this as gas
#3 - 0xScotch
2022-01-03T14:32:12Z
Hey @GalloDaSballo sorry for the late reply. The contracts are not meant to be upgradeable, the use of initializable was a habitual one. We plan on completely removing initializable and just use contructors instead due to the contracts not being upgradeable.
#4 - GalloDaSballo
2022-01-03T15:11:20Z
@0xScotch Thank you for the clarification Because of this, I'll be re-evaluating some of the findings.
@0xScotch Please note that because you are not using a proxy for deploying, your contract initialize may get frontrun, switching to constructor solves as well as enabling the usage of immutable
#5 - 0xScotch
2022-01-03T16:18:45Z
Yes we are aware of the frontrunning issue too. We will absolutely be switching to constructors.