LI.FI contest - tchkvsky's results

Bridge & DEX Aggregation.

General Information

Platform: Code4rena

Start Date: 24/03/2022

Pot Size: $75,000 USDC

Total HM: 15

Participants: 59

Period: 7 days

Judge: gzeon

Id: 103

League: ETH

LI.FI

Findings Distribution

Researcher Performance

Rank: 46/59

Findings: 2

Award: $175.12

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository LI.FI

Findings Information

🌟 Selected for report: hake

Also found by: 0v3rf10w, 0xDjango, 0xkatana, BouSalman, CertoraInc, Dravee, Hawkeye, IllIllI, JMukesh, Jujic, Kenshin, PPrieditis, Picodes, PranavG, Ruhum, SolidityScan, VAD37, WatchPug, aga7hokakological, catchup, csanuragjain, cthulhu_cult, defsec, dimitri, hickuphh3, hubble, hyh, kenta, kirk-baird, obront, peritoflores, rayn, robee, saian, samruna, shenwilly, shw, sorrynotsorry, tchkvsky, teryanarmen, ych18

Awards

113.5781 USDC - $113.58

Labels

bug

resolved

QA (Quality Assurance)

External Links

Link to GitHub issue

Declared event in WithdrawFacet.sol doesn't match emitted event

Handle

tchkvsky

Vulnerability details

Declared event in #L12 of WithdrawFacet.sol doesn't match emitted event (called parameters) in #L37

Impact

This could lead to logging incorrect transactions

Proof of Concept

WithdrawFacet.sol#L12

event LogWithdraw(address indexed _assetAddress, address _from, uint256 amount);

and

WithdrawFacet.sol#L37

    emit LogWithdraw(sendTo, _assetAddress, _amount);

does not match

Tools Used

Manual review

Recommendation

Consider changing (#L12)

event LogWithdraw(address indexed _assetAddress, address _from, uint256 amount);

event LogWithdraw(address indexed _assetAddress, address _to, uint256 _amount);

AND (#L37)

    emit LogWithdraw(sendTo, _assetAddress, _amount);

    emit LogWithdraw(_assetAddress, sendTo, _amount);

Useful links:

Findings Information

🌟 Selected for report: Dravee

Also found by: 0v3rf10w, 0xDjango, 0xNazgul, 0xkatana, ACai, CertoraInc, FSchmoede, Funen, Hawkeye, IllIllI, Jujic, Kenshin, PPrieditis, Picodes, SolidityScan, TerrierLover, Tomio, WatchPug, catchup, csanuragjain, defsec, dimitri, hake, hickuphh3, kenta, minhquanym, obront, peritoflores, rayn, rfa, robee, saian, samruna, tchkvsky, teryanarmen, ych18

Awards

61.5429 USDC - $61.54

Labels

bug

G (Gas Optimization)

resolved

External Links

Link to GitHub issue

Prefix increments are cheaper than postfix increments.

Handle

tchkvsky

Vulnerability details

These functions use not using prefix increments (++x)

Impact

Using prefix increment is more gas efficient

Proof of Concept

DexManagerFacet.sol

Tools Used

Manual review

Recommendation

Consider using prefix increments (++i) to save gas

#0 - H3xept
2022-04-01T10:03:07Z

We internally decided to ignore prefix increments for now.

LI.FI contest - tchkvsky's results

Bridge & DEX Aggregation.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-41] QA Report - $113.58

Findings Information

Awards

Labels

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommendation

[G-36] Gas Report - $61.54

Findings Information

Awards

Labels

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommendation

#0 - H3xept2022-04-01T10:03:07Z

#0 - H3xept
2022-04-01T10:03:07Z