Platform: Code4rena
Start Date: 04/01/2022
End Date: 06/01/2022
Period: 3 days
Status: Completed
Reporters: captainmango, dzhawsh
Pot Size: $25,000 USDC
Participants: 40
Reporters: captainmango, dzhawsh
Judge: Ivo Georgiev
Id: 75
League: ETH
WatchPug | 1/40 | $10,032.52 | 4 | 1 | 1 | 1 | 0 | - | - | 0 |
onewayfunction | 2/40 | $1,735.56 | 4 | 1 | 0 | 1 | 0 | - | - | 0 |
sirhashalot | 3/40 | $1,026.51 | 3 | 0 | 0 | 1 | 0 | - | - | 0 |
cmichel | 4/40 | $939.38 | 3 | 1 | 0 | 1 | 0 | - | 0 | 0 |
kenzo | 5/40 | $939.38 | 3 | 1 | 0 | 1 | 0 | - | 0 | 0 |
Fitraldys | 6/40 | $869.20 | 2 | 1 | 0 | 0 | 0 | 0 | - | 0 |
Tomio | 7/40 | $836.99 | 2 | 0 | 0 | 0 | 0 | - | - | 0 |
Czar102 | 8/40 | $812.02 | 2 | 0 | 0 | 0 | 0 | - | - | 0 |
cccz | 9/40 | $806.34 | 2 | 1 | 0 | 0 | 0 | - | 0 | 0 |
tqts | 10/40 | $768.97 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
Auditor per page
This scope of this audit includes the following repo, all with corresponding release tags:
There are 2 contracts here:
XDEFIDistribution is the main and only contract that is stateful, and extends openzeppelin's ERC721Enumerable, and adds custom "funds distribution" functionality, similar to an ERC2222 implementation, but as NFT positions rather than ERC20 positions. You can read more in the XDeFi-tech/xdefi-distribution readme, or ask questions in the C4 Discord.XDEFIDistributionHelper is a low-risk, stateless, helper smart contract intended to be used by front-ends/clients to batch query the XDEFIDistribution contract instead of having to make multiple web3 calls.Ensure that distributution of additional funds sent to the XDEFIDistribution contract an recognized and accurately distributed via updateDistribution, so that they are withdrawable by position holders when they eventually unlock. Rounding errors (lack of precision) are expected, but should remain insignificant. However, it is important that new locking of XDEFI results in positions that are only eligible for portions of future rewards, and do not result in the "stealing" of past rewards from existing locked position holders. Similarly, the contract should never have less XDEFI that it needs to support all withdrawals/unlocks (i.e. sum of all withdrawableOf is less than or equal to the XEDFI balance of the contract itself).
A position should always remain a valid NFT, even after it has been unlocked/withdrawn. The only difference between a locked and unlocked position is that:
Scores are determined by the contract and merging should not result in the loss or creation of additional points.
It should not be possible for anyone, even for the contract owner, to affect the current withdrawable amount of any locked position (within acceptable rounding), or prevent it from being unlocked at all when the position owner expected it to be un-lockable. For example, setLockPeriods is only able to change the validity of lock times of new locked positions, but existing locked positions remain unaffected. Any account should be able to send XDEFI token to the XDEFIDistribution contract and have it distributed to existing locked positions via updateDistribution.
XDEFIDistributionHelper gas optimizations are not valid since the contract is not intended to be used in state-changing calls (i.e. calls where an on-chain transaction occurs resulting in tx fees)_pointsPerUnit and pointsCorrection is expected to result in minute inaccuracies where positions are allowed to withdraw slightly less than "they should". An issue of imprecision or rounding error is only valid if it results in the inability for a position to be unlocked/withdrawn, or a user getting more than expected (i.e. another position's share).