Introducing Code4rena Blue: Dedicated defense. Competitive bounties. Independent judging.Learn more →

Fei Protocol contest
Findings & Analysis Report

2022-01-25

Table of contents

Overview

About C4

Code4rena (C4) is an open organization consisting of security researchers, auditors, developers, and individuals with domain expertise in smart contracts.

A C4 code contest is an event in which community participants, referred to as Wardens, review, audit, or analyze smart contract logic in exchange for a bounty provided by sponsoring projects.

During the code contest outlined in this document, C4 conducted an analysis of Fei Protocol contest smart contract system written in Solidity. The code contest took place between November 30—December 2 2021.

Wardens

22 Wardens contributed reports to the Fei Protocol contest:

  1. WatchPug (jtp and ming)
  2. danb
  3. cmichel
  4. Meta0xNull
  5. loop
  6. 0x0x0x
  7. defsec
  8. gzeon
  9. hickuphh3
  10. TomFrenchBlockchain
  11. Czar102
  12. tqts
  13. jayjonah8
  14. robee
  15. GeekyLumberjack
  16. ye0lde
  17. jierlich
  18. egjlmn1
  19. 0x1f8b
  20. sabtikw
  21. hagrid

This contest was judged by pauliax.

Final report assembled by moneylegobatman and CloudEllie.

Summary

The C4 analysis yielded an aggregated total of 9 unique vulnerabilities and 48 total findings. All of the issues presented here are linked back to their original finding.

Of these vulnerabilities, 0 received a risk rating in the category of HIGH severity, 0 received a risk rating in the category of MEDIUM severity, and 9 received a risk rating in the category of LOW severity.

C4 analysis also identified 14 non-critical recommendations and 25 gas optimizations.

Scope

The code under review can be found within the C4 Fei Protocol contest repository, and is composed of 4 smart contracts written in the Solidity programming language and includes 342 lines of Solidity code.

Severity Criteria

C4 assesses the severity of disclosed vulnerabilities according to a methodology based on OWASP standards.

Vulnerabilities are divided into three primary risk categories: high, medium, and low.

High-level considerations for vulnerabilities span the following key areas when conducting assessments:

  • Malicious Input Handling
  • Escalation of privileges
  • Arithmetic
  • Gas use

Further information regarding the severity criteria referenced throughout the submission review process, please refer to the documentation provided on the C4 website.

Low Risk Findings (9)

Non-Critical Findings (14)

Gas Optimizations (25)

Disclosures

C4 is an open organization governed by participants in the community.

C4 Contests incentivize the discovery of exploits, vulnerabilities, and bugs in smart contracts. Security researchers are rewarded at an increasing rate for finding higher-risk issues. Contest submissions are judged by a knowledgeable security researcher and solidity developer and disclosed to sponsoring developers. C4 does not conduct formal verification regarding the provided code but instead provides final verification.

C4 does not provide any guarantee or warranty regarding the security of this project. All smart contract software should be used at the sole risk and responsibility of users.