Skip to content

Instantly share code, notes, and snippets.

View nachomazzara's full-sized avatar

Ignacio Mazzara nachomazzara

88 followers · 21 following
View GitHub Profile
@nachomazzara
nachomazzara / rcn-oracles-audit.md
Last active October 31, 2020 18:00
RCN - Oracles - Security Review

Sorted-Collection

SortedList.sol

High vulnerability

  • DoS when the list has more than ~5527 items. Every time the median is calculated, it loops through the entire list to get the size and then loop size / 2 to get the median itself. Consider storing and update the size of the list every time the user insert or remove a node along with the two nodes which are part of the median in the struct. The worst scenario for an insert could be n - 1 loop where n is the size of the list. Consider using a binary search in order to reduce as much as possible a possible DoS.

Medium vulnerability

@nachomazzara
nachomazzara / defswap-audit.md
Last active October 31, 2020 18:00
Defswap - Core - Security Review

Defswap Audit

DefswapFactory

Low vulneravility

  • Exchange could be created with address 0.

  • Consider index _token address at CreatedExchange event for traceability.

@nachomazzara
nachomazzara / CollateralAudit.md
Last active October 31, 2020 17:59
RCN - Collateral - Security Review
@nachomazzara
nachomazzara / AsyncArt-Audit.md
Last active June 5, 2021 19:37
AsyncArt - Core & Upgrader - Security Review
@nachomazzara
nachomazzara / SkyWeaver_Audit.md
Last active October 31, 2020 17:58
Horizon - SkyWeaver Bridges & Conquest - Security Review
@nachomazzara
nachomazzara / LIP-25-Audit.md
Last active October 31, 2020 17:57
Livepeer - LIP-25 - Security Review

Livepeer - LIP-25 - Security Review

Introduction

Livepeer team requested the LIP-25 proposal revision by auditing the Governor smart contract, the commit referenced for this audit is ac98605f78520b0ef43e31d0d20d0efbf2d32876.

Governor.sol

To take into consideration

  • Based on how each update is staged, if for some reason two calls are needed within a delay, the second one will fail. Even it is not part of the spec, a common usage as set regular payments won't be possible. This could be allowed by using a nonce allowing the same call to be staged more than once.
@nachomazzara
nachomazzara / RCN_Fee_Burner_Security_Review.md
Last active October 31, 2020 18:01
RCN - Fee & burner - Security Review
@nachomazzara
nachomazzara / TokenSpender_Security_Review.md
Last active April 5, 2021 18:46
Biteralabs - TokenSpender - Security Review
@nachomazzara
nachomazzara / Tradestars_Token_And_Card_Security_Review.md
Last active April 14, 2021 00:21
Tradestars - Token & Card - Security Review
@nachomazzara
nachomazzara / Spectre_io_MerkleProfitSharing_Security_Review.md
Last active June 26, 2021 13:12
Spectre.io - MerkleProfitSharing - Security Review