QA Report #424
Labels
bug
Something isn't working
edited-by-warden
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Low risk & QA findings:
_addFounders
and_createAuction()
__EIP712_init()
is not initializedPotential out of gas caused by
_addFounders
and_createAuction()
The function
_addFounders
that's called on token initialization also reserves tokens for founders by fillingtokenReserved[id]
whereid
is a value between0
and99
, which represents the ids of tokens reserved for founders.If
tokenReserved[id]
is non empty for every possibleid
(0-99) then it's not possible to call_createAuction()
because it would try to mint tokens for founders indefinitely, eventually running out of gas.Impact
As far as I can tell this can only happen in the case described above, which implies setting the founders to have a total of 100% ownership. I don't see a reason why users could consciuosly decide to create a DAO with founders having 100% ownership but it's allowed by the protocol and could cause users to deploy a set of contracts which can potentially be expensive for nothing.
Proof of concept
The following test describe a possible scenario in which this bug occurs. Just copy it into
Token.t.sol
and run with:forge test -m test_CantCallUnpause
Mitigation
Having the function
_addFounders()
to keep at least one slot empty intokenReserved[id]
would prevent it from trying to mint indefinitely. It's also worth taking in consideration that in the case there's 1 slot free_createAuction
would still mint 100 (99 for founders plus 1 for the bidder) tokens, which might be a lot of gas.__EIP712_init()
is not initializedMissing initialization: Token.sol#L43
Impact
DOMAIN_SEPARATOR()
, which is used intoken.delegateBySig()
will always be computed askeccak256(abi.encode(bytes32(0), bytes32(0), bytes32(0), uint(0), address(token)))
.I guess
address(token)
, which is the address of the token proxy and it's different for every DAO saves the day here.I think this has no serious implication but I'm not going to explore any further because even if there's no scenario in which this can be exoploited it should be fixed.
Typo / Gas saving tip
At Auction.sol#L172 we have:
I think it was meant to be (
_auction
instead ofauction
):Accessed from memory and consistent with the rest of the code.
Token approvals are deleted for tokens self-transfers
At ERC721.sol#L146, inside
token.transferFrom()
we have:In the case of a transfer from an address to itself the approvals gets deleted because there's no check on
_from != _to
, which is not expected behaviour. This is such an edge case that it might be worth living is as it is to save gas for users.Reserved tokens IDS are calculated wrong
Reserved token ids are calculated in a weird way in
token._addFounders()
at this line of code at Token.sol#L113:What this is actually doing is:
Impact
Due to a combination of this and
schedule
being calculated as:which rounds down to
1
forfounderPct >= 51
it causes the remaining founders to get less tokens.Intuitevely what should happen is that
baseTokenId
might result in values higher than99
. This can happen if onefounderPct
is2
because that setsschedule
to50
.Unfortunately I discovered this quite late in the contest and didn't have time to indagate further. What seems weird to me is that the code seems to work anyway for most the of the cases.
Changing:
to
seems to fix the issue even for cases in which 1 founder has more than 51
ownershipPcts
.The text was updated successfully, but these errors were encountered: