XDEFI contest - ye0lde's results

The fastest wallet in DeFi.

General Information

Platform: Code4rena

Start Date: 04/01/2022

Pot Size: $25,000 USDC

Total HM: 3

Participants: 40

Period: 3 days

Judge: Ivo Georgiev

Total Solo HM: 1

Id: 75

League: ETH

XDEFI

Findings Distribution

Researcher Performance

Rank: 26/40

Findings: 2

Award: $50.52

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository XDEFI

Findings Information

🌟 Selected for report: cccz

Also found by: Jujic, Tomio, WatchPug, agusduha, certora, hack3r-0m, jayjonah8, ye0lde

Labels

bug

duplicate

1 (Low Risk)

disagree with severity

sponsor acknowledged

Awards

37.3718 USDC - $37.37

External Links

Link to GitHub issue

Handle

ye0lde

Vulnerability details

Impact

The function below fails to perform input validation on arrays to verify the lengths match. A mismatch could lead to an exception or undefined behavior.

Proof of Concept

multipliers is accessed without validating its length. https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L83

Tools Used

Visual Studio Code, Remix

Recommended Mitigation Steps

Add input validation to check that the length of multipliers and durations_ match.

#0 - deluca-mike
2022-01-06T06:14:03Z

If there are more multipliers than durations, then the extra multipliers are ignored. If there are more durations than multipliers, then the function will revert anyway. Further, if the admin did make a mistake, they can just call the function again. This is no-risk.

#1 - deluca-mike
2022-01-09T10:41:36Z

Duplicate #38

Findings Information

🌟 Selected for report: Dravee

Also found by: 0xsanson, Jujic, WatchPug, ye0lde

Labels

bug

duplicate

G (Gas Optimization)

sponsor confirmed

Awards

13.1525 USDC - $13.15

External Links

Link to GitHub issue

Handle

ye0lde

Vulnerability details

Impact

Redundant arithmetic underflow/overflow checks can be avoided when an underflow/overflow cannot happen.

Proof of Concept

The "unchecked" keyword can be applied since there is a require statement to ensure the arithmetic operations would not cause an integer underflow or overflow.

For example here: https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L114-L120

Change the code to:

        // Throw convenient error if trying to re-lock more than was unlocked. 
        require(lockAmount_ <= amountUnlocked_, "INSUFFICIENT_AMOUNT_UNLOCKED");

        // Handle the lock position creation and get the tokenId of the locked position.
        newTokenId_ = _lock(lockAmount_, duration_, destination_);

        uint256 withdrawAmount;  
        unchecked { withdrawAmount = amountUnlocked_ - lockAmount_; }

Tools Used

Visual Studio Code, Remix

Recommended Mitigation Steps

Add the "unchecked" keyword as shown above.

#0 - deluca-mike
2022-01-06T19:34:01Z

Yup, we will use unchecked where we can.

#1 - deluca-mike
2022-01-09T10:57:09Z

Duplicate #49

XDEFI contest - ye0lde's results

The fastest wallet in DeFi.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $37.37

Gas Report - $13.15

QA Report - $37.37

Gas Report - $13.15

[L-02] Missing input validation on array lengths (Function setLockPeriods in XDEFIDistribution.sol) - $37.37

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - deluca-mike2022-01-06T06:14:03Z

#1 - deluca-mike2022-01-09T10:41:36Z

[G-02] Save Gas With The Unchecked Keyword (XDefiDistribution.sol) - $13.15

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - deluca-mike2022-01-06T19:34:01Z

#1 - deluca-mike2022-01-09T10:57:09Z

#0 - deluca-mike
2022-01-06T06:14:03Z

#1 - deluca-mike
2022-01-09T10:41:36Z

#0 - deluca-mike
2022-01-06T19:34:01Z

#1 - deluca-mike
2022-01-09T10:57:09Z