Trader Joe contest - wuwe1's results

One-stop-shop decentralized trading on Avalanche.

General Information

Platform: Code4rena

Start Date: 25/01/2022

Pot Size: $50,000 USDT

Total HM: 17

Participants: 39

Period: 3 days

Judge: LSDan

Total Solo HM: 9

Id: 79

League: ETH

Trader Joe

Findings Distribution

Researcher Performance

Rank: 21/39

Findings: 2

Award: $679.91

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Trader Joe

Findings Information

🌟 Selected for report: cccz

Also found by: Czar102, Jujic, Meta0xNull, Ruhum, defsec, jayjonah8, kirk-baird, p4st13r4, pauliax, robee, wuwe1

Labels

bug

duplicate

1 (Low Risk)

Awards

13.5716 USDT - $13.57

External Links

Link to GitHub issue

Handle

wuwe1

Vulnerability details

Proof of Concept

There is no access control on initialize

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeToken.sol#L25

Malicious actor might front-run the deployer and call initialize in RocketJoeFactory . This griefing attack would prevent RocketJoeFactory from deploying.

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeFactory.sol#L62

setRJoe is affected by this too.

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeFactory.sol#L160

Recommended Mitigation Steps

Add access control on initialize

#0 - cryptofish7
2022-01-30T21:20:28Z

Duplicate of #155 and #8

#1 - dmvt
2022-02-22T10:41:51Z

Assets are not at risk. The worst case is that there is lost gas and the contracts need to be redeployed. Consider creating these contracts and calling their initialize functions in a factory to mitigate the issue if not adding the guard.

1 — Low (L): vulns that have a risk of 1 are considered “Low” severity when assets are not at risk. Includes state handling, function incorrect as to spec, and issues with comments.

Findings Information

🌟 Selected for report: WatchPug

Also found by: Dravee, TomFrenchBlockchain, wuwe1

Labels

bug

duplicate

G (Gas Optimization)

Awards

7.2498 USDT - $7.25

External Links

Link to GitHub issue

Handle

wuwe1

Vulnerability details

Proof of Concept

LaunchEvent does not use any function in Ownable.

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L19

Recommended Mitigation Steps

Remove Ownable in LaunchEvent

#0 - cryptofish7
2022-01-31T11:16:23Z

Duplicate of #241

Findings Information

🌟 Selected for report: hyh

Also found by: Funen, wuwe1

Labels

bug

duplicate

1 (Low Risk)

Awards

140.1231 USDT - $140.12

External Links

Link to GitHub issue

Handle

wuwe1

Vulnerability details

Impact

If parameter get wrong, it might need to be redeployed.

Proof of Concept

RocketJoeStaking.sol

_joe could be 0

_rJoe could be 0

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeStaking.sol#L72-L73

Recommended Mitigation Steps

Add zero value check on this variable.

#0 - cryptofish7
2022-01-30T23:41:04Z

Duplicate of #266

Findings Information

🌟 Selected for report: wuwe1

Labels

bug

1 (Low Risk)

disagree with severity

sponsor confirmed

Awards

518.9746 USDT - $518.97

External Links

Link to GitHub issue

Handle

wuwe1

Vulnerability details

Impact

Causing confuse to user and developer.

Proof of Concept

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L55

105000 * 1e18 / (1e18 + 5e16) is equal to 100000

Recommended Mitigation Steps

change to

105000 - 105000 * 1e18 / (1e18 + 5e16) = 5000

#0 - cryptofish7
2022-01-31T23:14:21Z

Should be 0.

Fixed: https://github.com/traderjoe-xyz/rocket-joe/commit/dbd19cc400abb5863edfc0443dd408ba5ae3e99a

#1 - dmvt
2022-02-23T12:55:29Z

Equation in comment is technically incorrect and results in confusion. Low risk is reasonable in this case.

Trader Joe contest - wuwe1's results

One-stop-shop decentralized trading on Avalanche.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $672.66

Gas Report - $7.25

QA Report - $672.66

Gas Report - $7.25

[L-14] lack access control in initialize of RocketJoeToken - $13.57

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Proof of Concept

Recommended Mitigation Steps

#0 - cryptofish72022-01-30T21:20:28Z

#1 - dmvt2022-02-22T10:41:51Z

[G-66] LaunchEvent does not have to inherit Ownable - $7.25

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Proof of Concept

Recommended Mitigation Steps

#0 - cryptofish72022-01-31T11:16:23Z

[L-05] Lacking zero value check in initialize - $140.12

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - cryptofish72022-01-30T23:41:04Z

🚀 [L-24] Wrong comment - $518.97

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - cryptofish72022-01-31T23:14:21Z

#1 - dmvt2022-02-23T12:55:29Z

#0 - cryptofish7
2022-01-30T21:20:28Z

#1 - dmvt
2022-02-22T10:41:51Z

#0 - cryptofish7
2022-01-31T11:16:23Z

#0 - cryptofish7
2022-01-30T23:41:04Z

#0 - cryptofish7
2022-01-31T23:14:21Z

#1 - dmvt
2022-02-23T12:55:29Z