Back to z3s's contests

Cally contest - z3s's results

Earn yield on your NFTs or tokens via covered call vaults.

General Information

Platform: Code4rena

Start Date: 10/05/2022

Pot Size: $50,000 USDC

Total HM: 13

Participants: 100

Period: 5 days

Judge: HardlyDifficult

Total Solo HM: 1

Id: 122

League: ETH

Cally

Findings Distribution

Researcher Performance

Rank: 51/100

Findings: 2

Award: $85.06

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCally

Findings Information

🌟 Selected for report: hubble

Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, 0xf15ers, 0xsanson, 242, Aits, AlleyCat, Bludya, BondiPestControl, BouSalman, BowTiedWardens, CertoraInc, Cityscape, Czar102, FSchmoede, Funen, Hawkeye, IllIllI, JDeryl, Kenshin, Kumpa, MaratCerby, MiloTruck, Picodes, Ruhum, TrungOre, VAD37, WatchPug, Waze, antonttc, bobirichman, catchup, cccz, cryptphi, csanuragjain, delfin454000, dipp, dirk_y, djxploit, eccentricexit, ellahi, fatherOfBlocks, hake, hansfriese, hickuphh3, horsefacts, hyh, jah, joestakey, mics, minhquanym, pedroais, pmerkleplant, radoslav11, reassor, rfa, robee, seanamani, shenwilly, shung, sikorico, sorrynotsorry, sseefried, z3s

Awards

54.9697 USDC - $54.97

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Low Critical

[L01] Define MAX_FEE:

Use MAX_FEE to ensure users that protocol won't use 100% exercise fee.

Define preferable MAX_FEE in contract:

uint256 public constant MAX_FEE = (10 / 100) * 1e18; // 10%

and use it in setFee():

function setFee(uint256 feeRate_) external onlyOwner {
    require(feeRate_ <= MAX_FEE, "Fee too big");
    feeRate = feeRate_;
}

Non Critical

[N01] durationDays is uint8 so it supports days up to 255:

If a user wants more duration than 255 days, she can't set it.

Use bigger uint for durationDays.

[N02] Typos in comments:

Change OVVERIDES to OVERRIDES:

Cally.sol
  426,9:         OVVERIDES FUNCTIONS

#0 - outdoteth

2022-05-16T18:54:18Z

this can be bumped to medium severity: [L01] Define MAX_FEE: https://github.com/code-423n4/2022-05-cally-findings/issues/48

#1 - HardlyDifficult

2022-05-30T19:16:22Z

Per the C4 guidance "part of auditing is demonstrating proper theory of how an issue could be exploited" and that does not seem to be explored here as it was in the primary report.

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xf15ers, 0xkatana, 0xsanson, Bludya, BowTiedWardens, CertoraInc, Cityscape, DavidGialdi, FSchmoede, Fitraldys, Funen, Hawkeye, Kenshin, MadWookie, MaratCerby, MiloTruck, Picodes, RagePit, Tadashi, TerrierLover, TomFrenchBlockchain, VAD37, WatchPug, Waze, _Adam, antonttc, bobirichman, catchup, defsec, delfin454000, djxploit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, ignacio, joestakey, jonatascm, mics, minhquanym, oyc_109, pmerkleplant, rfa, robee, rotcivegaf, samruna, shung, sikorico, simon135, z3s

Awards

30.0888 USDC - $30.09

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Gas Optimizations

[G01] uint256 default value is 0 so we can remove = 0:

Cally.sol
  94,28:     uint256 public feeRate = 0;
  95,42:     uint256 public protocolUnclaimedFees = 0;
  282,21:         uint256 fee = 0;

[G02] Use Custom Errors to save Gas:

Custom errors from Solidity 0.8.4 are cheaper than require messages. https://blog.soliditylang.org/2021/04/21/custom-errors/

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter