Just saw I have broken the $20,000 mark from contests 😮
It's nothing crazy but knowing that just 4 months ago I was just starting out with my first contests and had 0 earnings to 2-3 months ago when I had just around 3,000$ in earnings is pretty nice.
Next mark - $50,000 🫡
#11
in the
@SizeCredit
contest
I found 9 H/M bugs, more than everyone but 1-2 people but I guess the more unique ones ate up a lot of the reward pot and finished a lot further behind than what I expected.
Lesson for next time - find even more issues and don't let that happen 🫡
My first 4-digit payout in my second (arguably first) contest ever!
Definitely pretty happy with those results but of course, there is still a lot of room to improve, had a great time auditing the
@dittoproj
in
@code4rena
!
Shadow auditing is one of the best ways to improve, especially as a beginner.
The contest in this thread is a great option to do a shadow audit on! (Spoiler Alert: It is not Beedle)
🧵
Around a day has passed so it is time to reveal what the issue was 🧐
Firstly, there were some lower impact issues such as:
- Not validating msg.value
- Redeploying the Referrer contract everytime
- Users can set themselves as the referrer
Now, about the high impact issue 🧵
Doing team audits on C4 after the introduction of the Hunter and Gatherer bonuses might be the new meta 🧐
For example, in a recent contest I did, if I had teamed up with someone that had just any 2 findings which I didn't find, we would have gotten $16,000 as a gatherer bonus.
Two results from recent contests.
Definitely not happy nor satisfied with these results but trust me, it won't be long before I get the
#1
spot in a contest, I promise! 😉
I found a very similar issue in a recent audit I conducted so such an issue can definitely appear in a protocol you are auditing, definitely keep that in mind in your next audit and do not miss it😉
Congrats to everyone who managed to find it!
Well, actually not. The issue here is that even if referrer is address(0), the address of the deployed Referrer contract will not be, thus the check will always pass making it so every deposit with no referrer dilutes the rewards for actual referrers.
Whenever a user deposits, he can set a referrer. That deploys a Referrer contract through which the referrer can interact and get some rewards.
If the user has not set a referrer, we do not update the referrer units due to the address(0) check... or is that actually the case?🤔
@woshilalala
@sherlockdefi
If a protocol wants to get the same quality (or even higher) as most T1 firms for a fraction of the price, this is your guy 👀
@vancelotx
Yes, that's an unintended issue, you can assume that the referrer contract only gets deployed once. This is a bug but doesn't really have huge impact except people paying more gas
Give it 2 days or more in case you are just starting out and try to find as many issues as possible. Then, read the issues found and try to understand them to the best of your abilities. Good luck!
For those saying that the referrer contract gets deployed every time, that is an unintended issue but it also doesn't really have much impact besides users paying more gas. You can assume that there is a function called getOrDeployReferrer() there instead. The bug is elsewhere
@0xJuancito
@milotruck
And it all depends whether they are trying to validate or invalidate the issue 😂 trying to invalidate it makes the price of the attack a trillion dollars more expensive
@arabadzhiev_
That's interesting, they refused to change the rankings and rewards when the judge found out he accidentally invalidated one of my valid issues in one of the contests.
Why is it a great option?
- It's short (≈500 SLOC)
- It's not hard to understand
- It has a decent amount of issues, some of them very simple
- It involves a lot of common DeFi concepts
@yatharthpnwr
We are deploying the referrer, we are not sending any ETH to it so the fallback function wouldn't be called. Also assume that the Referrer contract is 100% trusted
@MartinMarchev
A guy from the Immunefi team has been regularly trying to get a reply from the team, not sure if that counts as mediation or if it's something else. The team replies once every 1-2 weeks and then dips again 😅
@DAgantem1624
That's not the bug, you can imagine that the withdraw function for the referrer gets his money like this:
uint256 moneyForReferrer = totalMoneyForReferrers * referrerUnits / totalReferrerUnits
@jesjupyter
That's true, I made the code super simple so I missed some details but assume that there is a function used there instead that only deploys a contract if there isnt one already deployed for the referrer
@stanchev_33
The referrer contract will take care of that, for example by having an onlyOwner modifier and the owner being set as the referrer during the constructor. You are in the right direction though