base on # ENS audit details - Total Prize Pool: $33,050 USDC - HM awards: $16,500 USDC - Analysis awards: $1,000 USDC - QA awards: $500 USDC - Bot Race awards: $1,500 USDC - Gas awards: $500 USDC - Judge awards: $3,600 USDC - Lookout awards: $1,600 USDC - Scout awards: $500 USDC - Mitigation Review: $7,350 USDC (Opportunity goes to top 3 certified wardens based on placement in this audit.) - Join [C4 Discord](https://discord.gg/code4rena) to register - Submit findings [using the C4 form](https://code4rena.com/contests/2023-10-ens/submit) - [Read our guidelines for more details](https://docs.code4rena.com/roles/wardens) - Starts October 5, 2023 20:00 UTC - Ends October 11, 2023 20:00 UTC ## Automated Findings / Publicly Known Issues Automated findings output for the audit can be found [here](https://github.com/code-423n4/2023-10-ens/blob/main/bot-report.md) within 24 hours of audit opening. *Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.* [ ⭐️ SPONSORS: Are there any known issues or risks deemed acceptable that shouldn't lead to a valid finding? If so, list them here. ] # Overview ## About ENS ENS is a decentralised naming service built on top of Ethereum, and designed to resolve a wide array of resources including blockchain addresses, decentralised content, and user profile information. Developer documentation can be found [here](https://docs.ens.domains/). Information on existing ENS deployments can be found [here](https://docs.ens.domains/ens-deployments). ## Links - **Previous audits:** n/a - **Documentation:** https://docs.ens.domains - **Website:** https://ens.domains - **Twitter:** https://twitter.com/ensdomains - **Discord:** https://chat.ens.domains # Scope | Contract | SLOC | Purpose | Libraries used | | ----------- | ----------- | ----------- | ----------- | | [contracts/ERC20MultiDelegate.sol](https://github.com/code-423n4/2023-10-ens/blob/main/contracts/ERC20MultiDelegate.sol) | 216 | ERC20Votes compatible multi-delegation contract to manage user votings | [`@openzeppelin/*`](https://openzeppelin.com/contracts/) | ## Out of scope All files not listed above # Additional Context The contract implements a multi-delegation mechanism for ERC20 tokens that support the ERC20Votes extension. This allows users to delegate their voting power to multiple addresses in a single transaction. The contract relies on OpenZeppelin's libraries for standard ERC20 and ERC1155 functionalities. It utilizes Solidity's native features for creating proxy contracts, thereby enabling unique delegation capabilities for each user-delegate pair. The contract does not use any custom cryptographic algorithms, but it employs the ERC20Votes and ERC1155 standards to manage delegation and token metadata, respectively. ## Attack Ideas (Where to look for bugs) - Check for proper permissions and roles. - Ensure that the delegateMulti function handles array inputs correctly. - Validate the logic for transferring between proxy delegators. ## Main Invariants - Tokens should only be transferred between approved delegators. - The owner should only have the ability to change the URI for ERC1155 metadata. ## Scoping Details ``` - If you have a public code repo, please share it here: https://github.com/ensdomains/governance How many contracts are in scope?: 1 Total SLoC for these contracts?: 216 How many external imports are there?: 5 How many separate interfaces and struct definitions are there for the contracts within scope?: 0 Does most of your code generally use composition or inheritance?: Inheritance How many external calls?: Multiple, primarily for ERC20 and ERC1155 functions Overall line coverage percentage provided by your tests?: Stmts: 100%, Branch: 91.67%, Funcs: 100%, Lines 100% Is this an upgrade of an existing system?: No Check all that apply (e.g., timelock, NFT, AMM, ERC20, rollups, etc.): ERC20, ERC1155 Is there a need to understand a separate part of the codebase/get context in order to audit this part of the protocol?: No Describe required context: N/A Does it use an oracle?: No Describe any novel or unique curve logic or mathematical models your code uses: N/A Is this either a fork of or an alternate implementation of another project?: No Does it use a side-chain?: No Describe any specific areas you would like addressed: Multi-delegation logic, proxy delegators ``` # Tests ```bash # install npm packages (if you haven't already) yarn # run in first terminal npx hardhat node # run in another terminal yarn test test/delegatemulti.js # for coverage yarn coverage ``` ", Assign "at most 3 tags" to the expected json: {"id":"3266","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"