Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $75,000 USDC
Total HM: 6
Participants: 55
Period: 7 days
Judge: Albert Chon
Total Solo HM: 2
Id: 116
League: COSMOS
Rank: 2/55
Findings: 3
Award: $13,156.60
๐ Selected for report: 1
๐ Solo Findings: 1
๐ Selected for report: sorrynotsorry
12969.6852 USDC - $12,969.69
https://github.com/code-423n4/2022-05-cudos/blob/de39cf3cd1f1e1cf211819b06d4acf6a043acda0/solidity/contracts/Gravity.sol#L453-L456 https://github.com/code-423n4/2022-05-cudos/blob/de39cf3cd1f1e1cf211819b06d4acf6a043acda0/solidity/contracts/Gravity.sol#L568-L573 https://github.com/code-423n4/2022-05-cudos/blob/de39cf3cd1f1e1cf211819b06d4acf6a043acda0/solidity/contracts/Gravity.sol#L579-L581
Calls inside loops that may address DoS.
Calls to external contracts inside a loop are dangerous (especially if the loop index can be user-controlled) because it could lead to DoS if one of the calls reverts or execution runs out of gas. Reference
Manual Review
Avoid combining multiple calls in a single transaction, especially when calls are executed as part of a loop Always assume that external calls can fail Implement the contract logic to handle failed calls
#0 - albertchon
2022-05-17T11:03:46Z
Would really only happen for malicious/non-standard ERC-20 tokens which could then just be ignored by the orchestrator. No way getting around doing the transfers for each token
๐ Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0xDjango, 0xkatana, AmitN, CertoraInc, Dravee, Funen, GermanKuber, GimelSec, Hawkeye, JC, MaratCerby, WatchPug, Waze, broccolirob, cccz, ch13fd357r0y3r, cryptphi, danb, defsec, delfin454000, dipp, dirk_y, ellahi, gzeon, hake, hubble, ilan, jah, jayjonah8, kebabsec, kirk-baird, m9800, orion, oyc_109, robee, shenwilly, simon135, sorrynotsorry
120.9348 USDC - $120.93
Floating Pragma used in CosmosToken.sol, Gravity.sol. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma (i.e. by not using ^) helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
Reference
CosmosToken.sol, Gravity.sol files are having Solidity compiler version is 0.6.6 which is outdated. Currently the compiler version is v0.8.13.
It's recommended to deploy the contracts with below Solidity compilers;
0.5.16 - 0.5.17 0.6.11 - 0.6.12 0.7.5 - 0.7.6 0.8.4 - 0.8.7 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing. Reference
At Gravity.sol , an expensive loop is used by incrementing state_variable in a loop incurs a lot of gas because of expensive SSTOREs, which might lead to an out-of-gas.
function manageWhitelist( address[] memory _users, bool _isWhitelisted ) public onlyWhitelisted { for (uint256 i = 0; i < _users.length; i++) { require( _users[i] != address(0), "User is the zero address" ); whitelisted[_users[i]] = _isWhitelisted; } emit WhitelistedStatusModified(msg.sender, _users, _isWhitelisted); }
The self notes on Gravity.sol#L137-#138 to be removed.
EVM's ecrecover is susceptible to signature malleability which allows replay attacks, but using OpenZeppelinโs ECDSA library can be mitigation in Gravity.sol for verifySig() function. Reference
At Gravity.sol, submitBatch() function, _destinations param should be checked for having address(0) inside.
๐ Selected for report: GermanKuber
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xf15ers, 0xkatana, AlleyCat, CertoraInc, Dravee, Funen, GimelSec, IllIllI, JC, MaratCerby, WatchPug, Waze, defsec, delfin454000, ellahi, gzeon, hake, hansfriese, ilan, jonatascm, nahnah, oyc_109, peritoflores, rfa, robee, simon135, slywaters, sorrynotsorry
65.9807 USDC - $65.98
At CosmosToken.sol, the state variable MAX_UINT can be declared as constant / immutable to save gas.
Using revert strings greater than 32 bytes will increase the gas consumption, custom errors (at v0.8.0) or enumerable sets can be used to decrease the consumption.
At Gravity.sol , an expensive loop is used by incrementing state_variable in a loop incurs a lot of gas because of expensive SSTOREs, which might lead to an out-of-gas.
function manageWhitelist( address[] memory _users, bool _isWhitelisted ) public onlyWhitelisted { for (uint256 i = 0; i < _users.length; i++) { require( _users[i] != address(0), "User is the zero address" ); whitelisted[_users[i]] = _isWhitelisted; } emit WhitelistedStatusModified(msg.sender, _users, _isWhitelisted); }