FactoryDAO contest - ych18's results

The DAO that builds DAOs.

General Information

Platform: Code4rena

Start Date: 04/05/2022

Pot Size: $50,000 DAI

Total HM: 24

Participants: 71

Period: 5 days

Judge: Justin Goro

Total Solo HM: 14

Id: 119

League: ETH

FactoryDAO

Findings Distribution

Researcher Performance

Rank: 51/71

Findings: 2

Award: $108.38

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository FactoryDAO

Findings Information

🌟 Selected for report: MaratCerby

Also found by: 0x1337, 0x52, 0xYamiDancho, AuditsAreUS, CertoraInc, Dravee, GimelSec, IllIllI, PPrieditis, Ruhum, TrungOre, VAD37, berndartmueller, cccz, csanuragjain, defsec, hickuphh3, horsefacts, hyh, jayjonah8, kenzo, leastwood, mtz, p4st13r4, reassor, throttle, wuwe1, ych18

Awards

3.1753 DAI - $3.18

Labels

bug

duplicate

2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/MerkleDropFactory.sol#L107

Vulnerability details

This issue is omnipresented in the project:

Although the ERC20 standard suggests that a transfer should return true on success, many tokens are non-compliant in this regard (including high profile, like USDT) . In that case, the transfer()/transferFrom() call will revert even if the transfer is successful, because solidity will check that the RETURNDATASIZE matches the ERC20 interface.

Recommendation: Consider using OpenZeppelin’s SafeERC20.

#0 - illuzen
2022-05-10T15:31:36Z

duplicate https://github.com/code-423n4/2022-05-factorydao-findings/issues/34

#1 - gititGoro
2022-06-14T01:55:38Z

Changing severity due pool isolation, rewards tokens represent leakage not lost funds and because transfer of deposited funds would fail on deposit.

Findings Information

🌟 Selected for report: reassor

Also found by: IllIllI, VAD37, hyh, kenzo, leastwood, rajatbeladiya, ych18

Labels

bug

duplicate

2 (Med Risk)

Awards

105.1961 DAI - $105.20

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L169 https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L282

Vulnerability details

Some tokens have a decimals != 18 (including high profile, like USDC where decimals = 6). getMaximumRewards() and getRewards() functions would not calculate the right amount of these tokens because these functions divide the amount of token by 1e18 whereas the tokens with decimals==6 should be divided by 1e6

Recommendation: divide the wei amount of token by 1/e(token.decimals()) to have the correct amount of token.

#0 - illuzen
2022-05-10T15:31:19Z

duplicate https://github.com/code-423n4/2022-05-factorydao-findings/issues/60

#1 - gititGoro
2022-06-14T03:16:06Z

Duplicate of https://github.com/code-423n4/2022-05-factorydao-findings/issues/47

#2 - gititGoro
2022-06-14T03:16:37Z

Reducing severity as rewards do not constitute user deposits

FactoryDAO contest - ych18's results

The DAO that builds DAOs.

General Information

Findings Distribution

Researcher Performance

External Links

[M-13] ERC20 tokens with no return value will fail to transfer - $3.18

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

#0 - illuzen2022-05-10T15:31:36Z

#1 - gititGoro2022-06-14T01:55:38Z

[M-16] A wrong calculation value in `getMaximumRewards()` and `getRewards()` for non-standard decimals values tokens - $105.20

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

#0 - illuzen2022-05-10T15:31:19Z

#1 - gititGoro2022-06-14T03:16:06Z

#2 - gititGoro2022-06-14T03:16:37Z

#0 - illuzen
2022-05-10T15:31:36Z

#1 - gititGoro
2022-06-14T01:55:38Z

#0 - illuzen
2022-05-10T15:31:19Z

#1 - gititGoro
2022-06-14T03:16:06Z

#2 - gititGoro
2022-06-14T03:16:37Z