Platform: Code4rena
Start Date: 18/05/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 72
Period: 4 days
Judge: LSDan
Id: 237
League: ETH
Rank: 47/72
Findings: 1
Award: $16.19
π Selected for report: 0
π Solo Findings: 0
π Selected for report: ABA
Also found by: 0x4non, 0xHati, 0xMosh, 0xSmartContract, 0xWaitress, 0xhacksmithh, 0xnev, 0xprinc, Arabadzhiev, BLACK-PANDA-REACH, Deekshith99, Dimagu, KKat7531, Kose, LosPollosHermanos, MohammedRizwan, QiuhaoLi, RaymondFam, Rickard, Rolezn, SAAJ, Sathish9098, Shubham, SmartGooofy, Tripathi, Udsen, V1235816, adriro, arpit, ayden, bigtone, codeVolcan, d3e4, dwward3n, fatherOfBlocks, favelanky, jovemjeune, kutugu, lfzkoala, lukris02, matrix_0wl, minhquanym, ni8mare, parsely, pxng0lin, radev_sw, ravikiranweb3, rbserver, sces60107, souilos, tnevler, turvy_fuzz, yellowBirdy
16.1907 USDC - $16.19
Found in line 232 at contests/2023-05-juice/JBXBuybackDelegate.sol:
weth.transfer(address(pool), _amountToSend);
Found in line 286 at contests/2023-05-juice/JBXBuybackDelegate.sol:
if (_nonReservedToken != 0) projectToken.transfer(_data.beneficiary, _nonReservedToken);
.transfer will relay 2300 gas and .call will relay all the gas. If the receive/fallback function from the recipient proxy contract has complex logic, using .transfer will fail, causing integration issues.Replace .transfer with .call. Note that the result of .call need to be checked.
Found in line 205 at contests/2023-05-juice/JBXBuybackDelegate.sol:
if (_amountReceived == 0) _mint(_data, _tokenCount);
Found in line 207 at contests/2023-05-juice/JBXBuybackDelegate.sol:
_mint(_data, _tokenCount);
Found in line 334 at contests/2023-05-juice/JBXBuybackDelegate.sol:
function _mint(JBDidPayData calldata _data, uint256 _amount) internal {
.mint wonβt check if the recipient is able to receive the NFT. If an incorrect address is passed, it will result in a silent failure and loss of asset. OpenZeppelin recommendation is to use the safe variant of _mint. Replace _mint() with _safeMint().
Found in line 63 at contests/2023-05-juice/JBXBuybackDelegate.sol:
bool private immutable _projectTokenIsZero;
Found in line 79 at contests/2023-05-juice/JBXBuybackDelegate.sol:
IERC20 public immutable projectToken;
Found in line 85 at contests/2023-05-juice/JBXBuybackDelegate.sol:
IUniswapV3Pool public immutable pool;
Found in line 90 at contests/2023-05-juice/JBXBuybackDelegate.sol:
IJBPayoutRedemptionPaymentTerminal3_1 public immutable jbxTerminal;
Found in line 95 at contests/2023-05-juice/JBXBuybackDelegate.sol:
IWETH9 public immutable weth;
Immutables should be in uppercase, it helps to distinguish immutables from other types of variables and provides better code readability.
#0 - c4-judge
2023-06-02T10:55:56Z
dmvt marked the issue as grade-b