Infinity NFT Marketplace contest - 0xNazgul's results

Missing Zero-address Validation

Severity: Low Context: InfinityExchange.sol#L104-L117, InfinityExchange.sol#L1235-L1257, InfinityStaker.sol#L49-L52, InfinityStaker.sol#L375-L377, InfinityToken.sol#L37-L56

Description: Lack of zero-address validation on address parameters may lead to reverts and force contract redeployments.

Recommendation: Add explicit zero-address validation on input parameters of address type.

Missing Equivalence Checks in Setters

Severity: Low Context: InfinityExchange.sol#L1235-L1269, InfinityStaker.sol#L351-L377

Description: Setter functions are missing checks to validate if the new value being set is the same as the current value already set in the contract. Such checks will showcase mismatches between on-chain and off-chain states.

Recommendation: Add in the additional checks to validate if the new value being set is the same as the current value already set in the contract.

Missing Time locks

Severity: Low Context: InfinityExchange.sol#L1235-L1252, InfinityStaker.sol#L351-L372

Description: None of the onlyOwner functions that change critical protocol addresses/parameters appear to have a time lock for a time-delayed change to alert: (1) users and give them a chance to engage/exit protocol if they are not agreeable to the changes (2) team in case of compromised owner(s) and given them a chance to perform incident response.

Recommendation: Add a time lock to these functions for a time-delayed change to alert users and protect against possible malicious changes by compromised owners(s).

Lack of Event Emission For Critical Functions

Severity: Low Context: InfinityExchange.sol#L1220-L1257, InfinityStaker.sol#L345-L377

Description: Several functions update critical parameters that are missing event emission. These should be performed to ensure tracking of changes of such critical parameters.

Recommendation: Add events to functions that change critical parameters.

receive() Function Should Emit An Event

Severity: Low Context: InfinityExchange.sol#L121, InfinityStaker.sol#L57

Description: Consider emitting an event inside this function with msg.sender and msg.value as the parameters. This would make it easier to track incoming ether transfers.

Recommendation: Add events to the receive() functions.

Unclear Revert Messages

Severity Informational Context: InfinityExchange.sol#L263,

Description: Some revert messages are unclear which can lead to confusion. Unclear revert messages may cause misunderstandings on reverted transactions.

Recommendation: Make revert messages more clear.

Use Underscores for Number Literals

Severity: Informational Context: InfinityExchange.sol#L61, InfinityStaker.sol#L33-L136

Description: There are multiple occasions where certain numbers have been hardcoded, either in variables or in the code itself. Large numbers can become hard to read.

Recommendation: Consider using underscores for number literals to improve its readability.

Unindexed Event Parameters

Severity Informational Context: InfinityExchange.sol#L80-L102, InfinityToken.sol#L35

Description: Parameters of certain events are expected to be indexed so that they’re included in the block’s bloom filter for faster access. Failure to do so might confuse off-chain tooling looking for such indexed events.

Recommendation: Add the indexed keyword to event parameters that should include it.

Variable Naming Convention

Severity Informational Context: InfinityStaker.sol#L23 (userstakedAmount => userStakedAmount), InfinityStaker.sol#L120 (vestedsixMonths => vestedSixMonths)

Description: The linked variables do not conform to the standard naming convention of Solidity whereby functions and variable names utilize the camelCase format.

Recommendation: Naming conventions utilized by the linked statements are adjusted to reflect the correct type of declaration according to the Solidity style guide.

Spelling Errors

Severity: Informational Context: InfinityExchange.sol#L58 (adress => address), InfinityExchange.sol#L77 (storate => storage), InfinityExchange.sol#L1260 (updateWethTranferGas => updateWethTransferGas), InfinityOrderBookComplication.sol#L255 (dont => do not), InfinityStaker.sol#L112 (untake => Unstake)

Description: Spelling errors in comments can cause confusion to both users and developers.

Recommendation: Check all misspellings to ensure they are corrected.

Missing or Incomplete NatSpec

Severity: Informational Context: All Contracts

Description: Some functions are missing @notice/@dev NatSpec comments for the function, @param for all/some of their parameters and @return for return values. Given that NatSpec is an important part of code documentation, this affects code comprehension, auditability and usability.

Recommendation: Add in full NatSpec comments for all functions to have complete code documentation for future use.

Be Aware of the Elastic Supply Tokens

Severity: Informational Context: All Contracts

Description: Elastic supply tokens could dynamically adjust their price, supply, user's balance, etc. Such a mechanism makes a DeFi system complex, while many security accidents are caused by the elastic tokens. For example, a DEX using deflationary token must double check the token transfer amount when taking swap action because of the difference of actual transfer amount and parameter.

Recommendation: In terms of confidentiality, integrity and availability, it is highly recommend that one should not use elastic supply tokens.

Too Recent of a Pragma

Severity Informational Context: All Contracts

Description: Using too recent of a pragma is risky since they are not battle tested. A rise of a bug that wasn't known on release would cause either a hack or a need to secure funds and redeploy.

Recommendation: Use a Pragma version that has been used for sometime. I would suggest 0.8.4 for the decrease of risk and still has the gas optimizations implemented.

In require(), Use != 0 Instead of > 0 With Uint Values

Context: InfinityExchange#L390-L402 (For L392)

Description: In a require, when checking a uint, using != 0 instead of > 0 saves 6 gas. This will jump over or avoid an extra ISZERO opcode.

Recommendation: Use != 0 instead of > 0 with uint values but only in require() statements.

State Variables That Can Be Set To Immutable

Context: InfinityStaker#L25

Description: Solidity 0.6.5 introduced immutable as a major feature. It allows setting contract-level variables at construction time which gets stored in code rather than storage. Each call to it reads from storage, using a sload costing 2100 gas cold or 100 gas warm. Setting it to immutable will have each storage read of the state variable to be replaced by the instruction push32 value, where value is set during contract construction time and this costs only 3 gas.

Recommendation: Set the state variable to immutable

Setting The Constructor To Payable

Context: All Contracts

Description: You can cut out 10 opcodes in the creation-time EVM bytecode if you declare a constructor payable. Making the constructor payable eliminates the need for an initial check of msg.value == 0 and saves 21 gas on deployment with no security risks.

Recommendation: Set the constructor to payable.

Function Ordering via Method ID

Context: All Contracts

Description: Contracts most called functions could simply save gas by function ordering via Method ID. Calling a function at runtime will be cheaper if the function is positioned earlier in the order (has a relatively lower Method ID) because 22 gas are added to the cost of a function for every position that came before it. The caller can save on gas if you prioritize most called functions. One could use This tool to help find alternative function names with lower Method IDs while keeping the original name intact.

Recommendation: Find a lower method ID name for the most called functions for example mostCalled() vs. mostCalled_41q() is cheaper by 44 gas.