Content pfp
Content
@
https://opensea.io/collection/dev-21
0 reply
0 recast
2 reactions
Jacek.degen.eth 🎩 pfp
Jacek.degen.eth 🎩
@jacek
If you're a Solidity dev and interested in helping out Degen by auditing or reviewing our Locked Degen ERC-20 contract, we'd love your support. Your help in finding bugs or suggesting code improvements would be greatly appreciated! Thanks! https://github.com/degen-token/degen-smart-contracts/pull/22
29 replies
35 recasts
211 reactions
J. Valeska 🦊🎩🫂 pfp
J. Valeska 🦊🎩🫂
@jvaleska.eth
some people is asking about it.. and I had to stop my audit.. after found it.. LN 130 - updateLockDuration() function This allow the owner to change the locking period.. between 0-365 days. LN 118 - if (block.timestamp <= depositTimestamps[msg.sender] + lockDuration) revert... This check on lockDuration in the withdraw function allows the owner to do some tricks with the locking period: - the owner could lock and unlock by managing to do a sandwich: updateLockFunction-withdraw-updateLockFunction, withdrawing without respecting the lock. And, setting it again locking users funds. - the owner could extend the locking period, from an initial 0 days to 1 year. Locking user funds for 1 year without user "permission".
13 replies
0 recast
6 reactions
Ryan J. Shaw pfp
Ryan J. Shaw
@rjs
IMO 1 is not an issue because the owner already controls the entire treasury and users have no expectation of the owner locking anything, nor does it impact user funds (could change if e.g. owner says I'm locking for a year you should too! ) 2 I also pointed out and users should definitely be mad aware of the risk, ideally shouldn't be possible
1 reply
0 recast
0 reaction
J. Valeska 🦊🎩🫂 pfp
J. Valeska 🦊🎩🫂
@jvaleska.eth
1. Owner can control other users lockDuration. This means that anyone could lock a great amount and being allied with the owner would be able to withdraw while others could not.. (this is not fair) and, this add the ability to create a fake trust and reputation, and then, withdraw the funds.. this is like a pump and dump.. for staking.. (sound bad) (being in control of treasury does not mean that we should continue doing things this way.. having better and fair methods..to do that.. imo) 2. Conditions of a contract should not change in the middle of the contract without both parties signing it again. In this case should explain to users that they lock could change whenever the admin wants from 0 to 365.
3 replies
0 recast
3 reactions