Platform: Code4rena
Start Date: 08/03/2023
Pot Size: $60,500 USDC
Total HM: 2
Participants: 123
Period: 7 days
Judge: hansfriese
Id: 220
League: ETH
Rank: 85/123
Findings: 1
Award: $29.67
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0x1f8b, 0x6980, 0xAgro, 0xSolus, 0xhacksmithh, 0xkazim, ABA, BPZ, BowTiedOriole, ChainReview, DadeKuma, DeFiHackLabs, Deathstore, DevABDee, Diana, Dravee, Dug, Englave, Go-Langer, Haipls, IceBear, Inspex, Jeiwan, Kek, Kresh, Madalad, MatricksDeCoder, MyFDsYours, RaymondFam, Rolezn, SAAJ, Sathish9098, Taloner, Udsen, Viktor_Cortess, atharvasama, ayden, brgltd, btk, carlitox477, catellatech, chaduke, codeislight, deadrxsezzz, descharre, erictee, fatherOfBlocks, favelanky, glcanvas, handsomegiraffe, jasonxiale, jekapi, joestakey, lemonr, luxartvinsec, martin, matrix_0wl, minhquanym, mrpathfindr, nadin, oyc_109, parsely, peanuts, pfedprog, rbserver, rokso, saian, santipu_, scokaf, slvDev, tsvetanovv, ubl4nk, ulqiorra, yamapyblack, zaskoh
29.6697 USDC - $29.67
All functions in scope operate under Solidity 0.8.19. Solidity 0.8.19 as of the start of the contest, is less than 3 weeks old.
By using a compiler version early you are volunteering as guinea pigs for potential bugs when it is not necessary. As an example in Solidity 0.8.13, a compiler bug was found 81 days after the release announcement (see links).
Consider downgrading contracts of version less 0.8.19 to a more battle-tested Solidity version.
The getReward function of BYTES2.sol is callable on behalf of any user. There is a comment that states:
This function is called by the S1 Citizen contract to emit BYTES to callers
If the desire is to have getReward only callable by the S1 Citizen contract, consider adding a check that the caller is the S1 Citizen contract only.
By having an external rewards function callable on behalf of users, there is a risk of funds being lost through external user contract assumptions.
There are some instances of precision loss from a divide before mulitply:
1155: uint256 points = amount * 100 / 1e18 * timelockMultiplier / _DIVISOR; 1388: uint256 share = points * _PRECISION / pool.totalPoints * totalReward; 1623: uint256 points = amount * 100 / 1e18 * lpPosition.multiplier / _DIVISOR;
For large inputs, the wrong values are calculated. Consider doing all multiplication before division in all expressions.
The stake and withdraw functions use ambiguous calldata that depends on the underlying function being called.
For example this comment states:
The third parameter is overloaded to have different meaning depending on the
assetTypeselected.
There is no checks in either the underlying stake or withdraw functions that makes sure the user parameters are reasonable inputs. If a user accidently uses the wrong parameters, it can result in unwanted actions. Consider making each action a different function or add input sanitation if possible.
There are some spelling mistakes throughout the codebase. Spelling mistakes can confuse readers and possibly result in uninformed user decisions. Consider fixing all spelling mistakes. The following were not found in the automated report.
contracts/staking/NeoTokyoStaker.sol
time is misspelled as tiume.citizen is misspelled as ctiizen.configured is misspelled as configued.entirety is misspelled as entireity.function is misspelled as funciton.Consider respecting your code:
/contracts/staking/NeoTokyoStaker.sol
1335: // We have no forward goto and thus include this bastardry.
In the NeoTokyoStaker.sol contract the Stake and Withdraw events have a multivariate parameter amountOrTokenId. Consider making individual events per staking type.
#0 - c4-judge
2023-03-17T03:03:17Z
hansfriese marked the issue as grade-b