Post-Judging QA #906
Replies: 25 comments 77 replies
-
Hey all, thanks for participating in this contest. I could see many of you made a huge effort, more so with such a complex codebase. I would like to give you some background on how I've judged it, so that you can more easily see if I made a mistake.
I think that's about it. This was a difficult contest. All the jumps between contracts and chains made it very difficult. Often the vital checks where many jumps away, and only a deep understanding would be enough to find out the flaws. I tried to be fair, but I'm sure I erred. Correct me, but be compassionate in doing so. |
Beta Was this translation helpful? Give feedback.
-
Thanks for the good work judging all of these issues ser, I left a comment in #528. |
Beta Was this translation helpful? Give feedback.
-
Hello judge @alcueca , thank you for your hard work!
If other reports just say that the uint32 value is too small without considering DoS attacks, is my report a duplicate? Also, should DoS attacks be H/M? |
Beta Was this translation helpful? Give feedback.
-
Greetings @alcueca, Firstly, thanks for the swift judging efforts on a vast & complex system. I want to bring to your attention that I believe issue #679 is incorrectly been duplicated with the issues under #877. Issue #877 concerns the use of signed messages and Virtual Accounts and in what circumstance they can be compromised, however, issue #679 mentions a different root cause that is concerned with unsigned messages (i.e no Virtual Account) and a particular wrongful assumption in the code when creating settlements that is contained in the Lastly, I would like to point out that the "honeypot" issue #374 seems to require some degree of circumstance similar to the issues that are currently under #877. I believe the mentioned issues should be all classed as Medium or all classed as High, please consider re-evaluating. |
Beta Was this translation helpful? Give feedback.
-
Hi @alcueca ,, Thanks, |
Beta Was this translation helpful? Give feedback.
-
Hi @alcueca , thank you for your hard work! |
Beta Was this translation helpful? Give feedback.
-
Hi @alcueca, thank you for your hard work! |
Beta Was this translation helpful? Give feedback.
-
Hi @alcueca, thank you for your great effort in this protocol! |
Beta Was this translation helpful? Give feedback.
-
Hello @alcueca , first of all, thanks for the incredible good work on judging this contest, the quality of the judging is notorious, great work. I'd like to ask about your comment made on the issue #439 , which are the reports getting full rewards and which ones are getting 50%? I added a comment on #332 , just to keep it in the loop in case its main issue's severity is updated. I added a comment on #287 , I think that there was a misunderstanding about what I'm reporting, I already tagged the sponsor, but If you could help me bring this issue back to the sponsor's attention, I'd really appreciate it. Thanks for taking the time to check my comments |
Beta Was this translation helpful? Give feedback.
-
Hi, below a few comments:
Thanks |
Beta Was this translation helpful? Give feedback.
-
Hi @alcueca, Thank you for judging this contest expeditiously. I would like to request your time to review #422, #611 and #881. Have left comments in them. Please also consider selecting #359 instead of #813 as the best report, because it explains the issue better with code and inline comments, and it also has instructions under POC that describes how to verify the issue quickly. |
Beta Was this translation helpful? Give feedback.
-
Hi @alcueca, Thank you for your judging efforts, it is appreciated! I have left a comment on issue #399 Thank you |
Beta Was this translation helpful? Give feedback.
-
Hi @alcueca, thank you for your hard work and quick judging on this complex codebase. I have left my comments on #458 and #564. I appreciate you taking the time to read this. |
Beta Was this translation helpful? Give feedback.
-
Hi @alcueca, Thanks for your judging. I left a comment on #761. Can you please help me to review? Thank you. |
Beta Was this translation helpful? Give feedback.
-
Hi @alcueca |
Beta Was this translation helpful? Give feedback.
-
left comments on #374 |
Beta Was this translation helpful? Give feedback.
-
left a comment on #877 |
Beta Was this translation helpful? Give feedback.
-
Left comment on #679 |
Beta Was this translation helpful? Give feedback.
-
Hey all, I might not be able to respond to every comment until sometime next week. Each one of your appeals takes me a considerable amount of time and effort, and I have little availability until next Monday. |
Beta Was this translation helpful? Give feedback.
-
Ok, so I'm back at dealing with your questions, all day today. Please allow me to add some more clarity on how I'm going to judge this, so that there is some consistency: To be a High or a Medium in this contest:
If users hurt themselves by doing something that no one told them to do, I'm going to classify that as a QA. There are plenty of Highs and Mediums already, so it is not a very high bar. Not everything can be a Medium or High, there needs to be some grading between reports. |
Beta Was this translation helpful? Give feedback.
-
Hi judge @alcueca you marked my submission as dup of the so common payableCall lacks access control. However, I am showing that there is a vulnerability inside the function itself to drain ETH. (You need to exploit a overflow in an unchecked block and a trick in a boolean variable).. I am sure you were pretty busy that you didn't take a look but the bug is already there. Can you take a second look? I left a comment in #687 |
Beta Was this translation helpful? Give feedback.
-
The judge for this contest is @alcueca.
Reminders
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions