Platform: Code4rena
Start Date: 29/03/2022
Pot Size: $50,000 USDC
Total HM: 16
Participants: 42
Period: 5 days
Judge: 0xean
Total Solo HM: 9
Id: 105
League: ETH
Rank: 32/42
Findings: 2
Award: $158.55
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0xDjango, 0xkatana, 0xmint, Czar102, Dravee, Funen, Ruhum, TerrierLover, defsec, gzeon, hake, hyh, jah, kenta, minhquanym, okkothejawa, pmerkleplant, rayn, reassor, robee, sorrynotsorry, sseefried, teryanarmen
106.7266 USDC - $106.73
https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/HolyPaladinToken.sol#L729
If startDropPerSecond is initialized at less than endDropPerSecond the contract will be unusable. There will be an underflow in _updateDropPerSecond which will always revert. This function is called throughout the contract, in critical functions like lock and claim, if it were to always revert the contract would be broken and unusable.
If startDropPerSecond is initialized at less than endDropPerSecond in the constructor, the contract will be deployed without issue but will be broken.
Manual analysis
Add a check in the constructor that ensures startDropPerSecond >= endDropPerSecond
#0 - Kogaroshi
2022-04-02T15:59:09Z
PR with changes: https://github.com/PaladinFinance/Paladin-Tokenomics/pull/8
#1 - 0xean
2022-04-08T23:23:22Z
Downgrading to QA based on the following as explained in #80
This is an exceedingly rare bug and unlikely to happen because it is the admin that calls function setEndDropPerSecond. it can only occur when block.timestamp == startDropTimestamp + dropDecreaseDuration. Reverts will not occur at any subsequent timestamp.
#2 - JeeberC4
2022-04-11T16:21:12Z
Judge downgraded to QA, warden did not submit a QA Report, preserving original title: Potentially dead contract
🌟 Selected for report: TerrierLover
Also found by: 0v3rf10w, 0xDjango, 0xNazgul, 0xkatana, 0xmint, Cityscape, Czar102, Dravee, Funen, IllIllI, Tomio, antonttc, defsec, gzeon, hake, kenta, minhquanym, pmerkleplant, rayn, rfa, robee, saian, securerodd, teryanarmen
51.8213 USDC - $51.82
1. Can use stricter visibility: public constant variables can be set as private as code is open source and they are also in the docs https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/HolyPaladinToken.sol#L17-L39
2. Slight change in protocol design can save lots of gas paid for by users: function _updateDropPerSecond() is called with almost every interaction with the contract. This function adds minimum 2k gas to 6 different functions called by users and also on every transfer of tokens. Consider using a function that updates drop per second separately and allow anyone to call it, reward those who call it with a successful update with a small (slightly more than the price of gas) incentive, maybe in the native token. This will utilize MEV to the protocols advantage. https://github.com/code-423n4/2022-03-paladin/blob/main/contracts/HolyPaladinToken.sol#L713-L742
#0 - Kogaroshi
2022-04-03T07:16:37Z
QA & gas optimizations changes are done in the PR: https://github.com/PaladinFinance/Paladin-Tokenomics/pull/6 (some changes/tips were implemented, others are noted but won't be applied)