Skip to content

Issues: code-423n4/2021-12-pooltogether-findings

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

38 Open 111 Closed
38 Open 111 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Assignee
Filter by who’s assigned
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Issues list

Inline functions _updateClaimedEpoch and _isClaimedEpoch bug Something isn't working G (Gas Optimization) sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
#144 opened Dec 12, 2021 by code423n4
@PierrickGT
1
Transfer amounts not checked for > 0 bug Something isn't working G (Gas Optimization) sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
#137 opened Dec 12, 2021 by code423n4
@PierrickGT
1
Implement _calculateRewardAmount more efficiently bug Something isn't working G (Gas Optimization) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#134 opened Dec 12, 2021 by code423n4
@PierrickGT
_nextPromotionId/_latestPromotionId calculation can be done more efficiently bug Something isn't working G (Gas Optimization) sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
#133 opened Dec 12, 2021 by code423n4
@PierrickGT
2
event PromotionCancelled should also emit the _to address 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#127 opened Dec 12, 2021 by code423n4
@PierrickGT
extendPromotion function should be access controlled by using onlyPromotionCreator 0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
#126 opened Dec 12, 2021 by code423n4
@PierrickGT
3
Unsafe uint64 casting may overflow 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working
#123 opened Dec 12, 2021 by code423n4
@PierrickGT
2
_requirePromotionActive allows actions before the promotion is active 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
#115 opened Dec 12, 2021 by code423n4
@PierrickGT
1
Adding unchecked directive can save gas bug Something isn't working G (Gas Optimization) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#111 opened Dec 12, 2021 by code423n4
@PierrickGT
getCurrentEpochId() Malfunction for ended promotions 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#109 opened Dec 12, 2021 by code423n4
@PierrickGT
createPromotion() Lack of input validation for _epochDuration can potentially freeze promotion creator's funds 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working
#106 opened Dec 12, 2021 by code423n4
@PierrickGT
2
cancelPromotion() Unable to cancel unstarted promotions 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#101 opened Dec 12, 2021 by code423n4
@PierrickGT
Avoid unnecessary dynamic size array _averageTotalSupplies can save gas bug Something isn't working G (Gas Optimization) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#91 opened Dec 12, 2021 by code423n4
@PierrickGT
_requireTicket() Implementation can be simpler and save some gas bug Something isn't working G (Gas Optimization) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#90 opened Dec 12, 2021 by code423n4
@PierrickGT
getRewardsAmount might return wrong result 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#80 opened Dec 12, 2021 by code423n4
@PierrickGT
1
TwarbRewards: don't use the onlyPromotionCreator modifier to save gas bug Something isn't working G (Gas Optimization) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#77 opened Dec 12, 2021 by code423n4
@PierrickGT
Dust Token Balances Cannot Be Claimed By An admin Account 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#75 opened Dec 12, 2021 by code423n4
@PierrickGT
Missing Check When Transferring Tokens Out For A Given Promotion 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
#70 opened Dec 12, 2021 by code423n4
@PierrickGT
1
Anyone can claim rewards on behalf of someone 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
#68 opened Dec 12, 2021 by code423n4
@PierrickGT
1
uint256 types can be uint64 bug Something isn't working G (Gas Optimization) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#58 opened Dec 12, 2021 by code423n4
@PierrickGT
Inconsistent definition of when an epoch ends 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#54 opened Dec 11, 2021 by code423n4
@PierrickGT
getRewardsAmount doesn't check epochs haven't been claimed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#50 opened Dec 11, 2021 by code423n4
@PierrickGT
cancelPromotion() Does Not Send Promotion Tokens Back to the Creator 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
#36 opened Dec 10, 2021 by code423n4
@PierrickGT
2
Check Zero Address Before Function Call Can Save Gas bug Something isn't working G (Gas Optimization) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#35 opened Dec 10, 2021 by code423n4
@PierrickGT
Contract does not work with fee-on transfer tokens 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
#30 opened Dec 10, 2021 by code423n4
@PierrickGT
1
ProTip! Adding no:label will show everything without a label.