Open code423n4 opened 2 years ago
WatchPug
Every reason string takes at least 32 bytes.
Use short reason strings that fits in 32 bytes or it will become more expensive.
Instances include:
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeStaking.sol#L65-L68
require( _startTime > block.timestamp, "RocketJoeStaking: rJOE minting needs to start after the current timestamp" );
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeStaking.sol#L118-L121
require( user.amount >= _amount, "RocketJoeStaking: withdraw amount exceeds balance" );
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeToken.sol#L17-L20
require( rocketJoeFactory.isRJLaunchEvent(msg.sender), "RocketJoeToken: caller is not a RJLaunchEvent" );
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeToken.sol#L26-L29
require( address(rocketJoeFactory) == address(0), "RocketJoeToken: already initialized" );
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeFactory.sol#L53-L61
require( _eventImplementation != address(0) && _rJoe != address(0) && _wavax != address(0) && _penaltyCollector != address(0) && _router != address(0) && _factory != address(0), "RJFactory: Addresses can't be null address" );
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeFactory.sol#L111-L128
require( getRJLaunchEvent[_token] == address(0), "RJFactory: token has already been issued" ); require(_issuer != address(0), "RJFactory: issuer can't be 0 address"); require(_token != address(0), "RJFactory: token can't be 0 address"); require(_token != wavax, "RJFactory: token can't be wavax"); require( _tokenAmount > 0, "RJFactory: token amount needs to be greater than 0" ); require( IJoeFactory(factory).getPair(_token, wavax) == address(0) || IJoePair(IJoeFactory(factory).getPair(_token, wavax)) .totalSupply() == 0, "RJFactory: liquid pair already exists" );
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeFactory.sol#L206-L209
require( _duration > PHASE_ONE_NO_FEE_DURATION, "RJFactory: phase one duration lower than no fee duration" );
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeFactory.sol#L223-L226
require( _noFeeDuration < PHASE_ONE_DURATION, "RJFactory: no fee duration bigger than phase one duration" );
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L237-L256
require( _maxWithdrawPenalty <= 5e17, "LaunchEvent: maxWithdrawPenalty too big" ); // 50% require( _fixedWithdrawPenalty <= 5e17, "LaunchEvent: fixedWithdrawPenalty too big" ); // 50% require( _userTimelock <= 7 days, "LaunchEvent: can't lock user LP for more than 7 days" ); require( _issuerTimelock > _userTimelock, "LaunchEvent: issuer can't withdraw before users" ); require( _auctionStart > block.timestamp, "LaunchEvent: start of phase 1 cannot be in the past" );
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L312-L316
require(msg.sender != issuer, "LaunchEvent: issuer cannot participate"); require( msg.value > 0, "LaunchEvent: expected non-zero AVAX to deposit" );
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L497-L500
require( user.balance > 0, "LaunchEvent: expected user to have non-zero balance to perform emergency withdraw" );
Handle
WatchPug
Vulnerability details
Every reason string takes at least 32 bytes.
Use short reason strings that fits in 32 bytes or it will become more expensive.
Instances include:
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeStaking.sol#L65-L68
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeStaking.sol#L118-L121
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeToken.sol#L17-L20
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeToken.sol#L26-L29
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeFactory.sol#L53-L61
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeFactory.sol#L111-L128
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeFactory.sol#L206-L209
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeFactory.sol#L223-L226
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L237-L256
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L312-L316
https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L497-L500