Back to tnevler's contests

Paladin - Warden Pledges contest - tnevler's results

A governance lending protocol transforming users voting power into a new money lego.

General Information

Platform: Code4rena

Start Date: 27/10/2022

Pot Size: $33,500 USDC

Total HM: 8

Participants: 96

Period: 3 days

Judge: kirk-baird

Total Solo HM: 1

Id: 176

League: ETH

Paladin

Findings Distribution

Researcher Performance

Rank: 42/96

Findings: 2

Award: $31.16

QA:
grade-b
Gas:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPaladin

Findings Information

🌟 Selected for report: robee

Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas

Awards

19.6449 USDC - $19.64

Labels

bug
QA (Quality Assurance)
grade-b
Q-63

External Links

Link to GitHub issue

Report

Low Risk

[L-01]: Missing checks for address(0x0)

Context:

  1. https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L137
  2. https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L138
  3. https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L140

Recommendation:

Add non-zero address checks when set address state variables.

Non-Critical Issues

[N-01]: Wrong order of functions

Context:

https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol

Description:

According official solidity documentation functions should be grouped according to their visibility and ordered:

  • constructor

  • receive function (if exists)

  • fallback function (if exists)

  • external

  • public

  • internal

  • private

Recommendation:

Put the functions in the correct order according to the documentation.

[N-02]: Typos

Context:

  1. // so it's override by the Pledge's endTimestamp L232 (change override to overridden)
  2. // based on the Boost bias & the Boost duration, to take in account that the delegated amount decreases L261 (change to take in account to to take into account)
  3. * @param targetVotes Maximum taget of votes to have (own balacne + delegation) for the receiver L292 (change taget to target)
  4. * @param targetVotes Maximum taget of votes to have (own balacne + delegation) for the receiver L292 (change balacne to balance)
  5. * @param maxTotalRewardAmount Maximum total reward amount allowed ot be pulled by this contract L295 (change ot to to)
  6. * @param maxFeeAmount Maximum feeamount allowed ot be pulled by this contract L296 (change feeamount to fee amount)
  7. * @param maxFeeAmount Maximum feeamount allowed ot be pulled by this contract L296 (change ot to to)
  8. // Add the total reards as available for the Pledge & write Pledge parameters in storage L339 (change reards to rewards)
  9. * @param maxTotalRewardAmount Maximum added total reward amount allowed ot be pulled by this contract L365 (change ot to to)
  10. * @param maxFeeAmount Maximum fee amount allowed ot be pulled by this contract L366 (change ot to to)
  11. * @param pledgeId ID fo the Pledge L453 (change fo to for)
  12. * @param pledgeId ID fo the Pledge to close L485 (change fo to for)
  13. * @param minRewardPerSecond Minmum amount of reward per vote per second for the token L523 (change Minmum to Minimum)
  14. * @param minRewardsPerSecond Minmum amount of reward per vote per second for each token in the list L539 (change Minmum to Minimum)
  15. * @param minRewardPerSecond Minmum amount of reward per vote per second for the token L558 (change Minmum to Minimum)
  16. * @param minRewardPerSecond Minmum amount of reward per vote per second for the token L568 (change Minmum to Minimum)

#0 - c4-judge

2022-11-12T01:06:30Z

kirk-baird marked the issue as grade-b

Findings Information

🌟 Selected for report: c3phas

Also found by: 0x1f8b, 0xNazgul, 0xRoxas, 0xSmartContract, 0xbepresent, Amithuddar, Awesome, B2, Bnke0x0, Dravee, KoKo, Mathieu, Picodes, RaymondFam, RedOneN, ReyAdmirado, RockingMiles, Ruhum, SadBase, SooYa, Waze, __141345__, adriro, ajtra, ballx, carlitox477, ch0bu, cylzxje, djxploit, durianSausage, emrekocak, erictee, gogo, halden, horsefacts, imare, indijanc, karanctf, leosathya, lukris02, neko_nyaa, oyc_109, peiw, sakman, shark, skyle, tnevler

Awards

11.5153 USDC - $11.52

Labels

bug
G (Gas Optimization)
grade-b
G-47

External Links

Link to GitHub issue

Report

Gas Optimizations

[G-01]: Place subtractions where the operands can't underflow in unchecked {} block

Context:

  1. https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L268
  2. https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L385
  3. https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L430
  4. https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L431

Description:

Some gas can be saved by using an unchecked {} block if an underflow isn't possible because of a previous require() or if-statement.

[G-02]: Catch a value inside a mapping/array in local memory

Context:

        if(minAmountRewardToken[rewardToken] == 0) revert Errors.TokenNotWhitelisted();
        if(rewardPerVote < minAmountRewardToken[rewardToken]) revert Errors.RewardPerVoteTooLow();

https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L312-L313

Recommendation:

Change:

        if(minAmountRewardToken[rewardToken] == 0) revert Errors.TokenNotWhitelisted();
        if(rewardPerVote < minAmountRewardToken[rewardToken]) revert Errors.RewardPerVoteTooLow();

to:

        uint256 _minAmountRewardToken = minAmountRewardToken[rewardToken]
        if(_minAmountRewardToken == 0) revert Errors.TokenNotWhitelisted();
        if(rewardPerVote < _minAmountRewardToken) revert Errors.RewardPerVoteTooLow();

[G-03]: No need to catch state variable in local memory if it only use once

Context:

  1. https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L458
  2. https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L490

Recommendation:

Read the state variable from storage.

#0 - c4-judge

2022-11-12T01:12:15Z

kirk-baird marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter