Platform: Code4rena
Start Date: 12/07/2022
Pot Size: $75,000 USDC
Total HM: 16
Participants: 100
Period: 7 days
Judge: LSDan
Total Solo HM: 7
Id: 145
League: ETH
Rank: 48/100
Findings: 2
Award: $123.53
π Selected for report: 0
π Solo Findings: 0
π Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 8olidity, Aussie_Battlers, Bnke0x0, Ch_301, Critical, Deivitto, Dravee, ElKu, Funen, GimelSec, JC, JohnSmith, Lambda, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, TomJ, Waze, _Adam, __141345__, alan724, asutorufos, benbaessler, berndartmueller, bin2chen, brgltd, bulej93, c3phas, cRat1st0s, cryptonue, cryptphi, csanuragjain, delfin454000, dxdv, exd0tpy, fatherOfBlocks, gogo, hake, hyh, joestakey, kyteg, lcfr_eth, minhtrng, p_crypt0, pashov, pedr02b2, philogy, rajatbeladiya, rbserver, rishabh, robee, rokinot, sach1r0, sashik_eth, seyni, simon135, svskaushik, zuhaibmohd, zzzitron
83.5693 USDC - $83.57
Severity: Low
Context: DNSSECImpl.sol#L58-L72, ReverseRegistrar.sol#L51-L57
Description: Setter functions are missing checks to validate if the new value being set is the same as the current value already set in the contract. Such checks will showcase mismatches between on-chain and off-chain states.
Recommendation: This may hinder detecting discrepancies between on-chain and off-chain states leading to flawed assumptions of on-chain state and protocol behavior.
Severity: Informational
Context: ReverseRegistrar.sol#L16
Description: There is commented code that makes the code messy and unneeded.
Recommendation: Remove the commented out code.
Severity: Informational
Context: DNSSECImpl.sol#L238
Description: There should never be any TODOs in the code when deploying.
Recommendation: Finish the TODOs before deploying.
Severity: Informational
Context: SHA1.sol, Owned.sol, DNSSEC.sol, ETHRegistrarController.sol, ERC1155Fuse.sol, Controllable.sol`
Description: Some functions are missing @notice/@dev NatSpec comments for the function, @param for all/some of their parameters and @return for return values. Given that NatSpec is an important part of code documentation, this affects code comprehension, auditability and usability.
Recommendation: Add in full NatSpec comments for all functions to have complete code documentation for future use.
Severity: Informational
Context: BytesUtils.sol#L35 (codepoints => code points), RRUtils.sol#L282 (bitshifting => bit shifting), ReverseRegistrar.sol#L40 (authorised => authorized), ReverseRegistrar.sol#L46 (authorised => authorized), ReverseRegistrar.sol#L80 (authorised => authorized), ReverseRegistrar.sol#L126 (authorised => authorized), ReverseRegistrar.sol#L156 (optimised => optimized), NameWrapper.sol#L152 (Unauthorised => Unauthorized), NameWrapper.sol#L202 (authorised => authorized), NameWrapper.sol#L241 (authorised => authorized), NameWrapper.sol#L266 (authorised => authorized), NameWrapper.sol#L282 (_normaliseExpiry => _normalizeExpiry), NameWrapper.sol#L289 (authorised => authorized), NameWrapper.sol#L315 (Unauthorised => Unauthorized), NameWrapper.sol#L370 (PARENT_CANOT_CONTROL => PARENT_CANNOT_CONTROL), NameWrapper.sol#L381 (Unauthorised => Unauthorized), NameWrapper.sol#L482 (_normaliseExpiry => _normalizeExpiry), NameWrapper.sol#L518 (_getDataAndNormaliseExpiry => _getDataAndNormalizeExpiry), NameWrapper.sol#L534 (regsitry => registry), NameWrapper.sol#L554 (_getDataAndNormaliseExpiry => _getDataAndNormalizeExpiry), NameWrapper.sol#L825 (_getDataAndNormaliseExpiry => _getDataAndNormalizeExpiry), NameWrapper.sol#L842 (_normaliseExpiry => _normalizeExpiry), NameWrapper.sol#L846 (_getETH2LDDataAndNormaliseExpiry => _getETH2LDDataAndNormalizeExpiry), NameWrapper.sol#L863 (_normaliseExpiry => _normalizeExpiry), NameWrapper.sol#L867 (_normaliseExpiry => _normalizeExpiry), NameWrapper.sol#L897 (_getETH2LDDataAndNormaliseExpiry => _getETH2LDDataAndNormalizeExpiry)
Description: Spelling errors in comments can cause confusion to both users and developers.
Recommendation: Check all misspellings to ensure they are corrected.
ABIEncoderV2 With 0.8+Severity: Informational
Context: DNSSECImpl.sol, DNSSEC.sol
Description:
ABIEncoderV2 is being stated in a solidity version 0.8+ which is not needed since ABIEncoderV2 is activated by default 0.8+.
Recommendation:
remove pragma experimental ABIEncoderV2;.
Severity: Informational
Context: IBaseRegistrar.sol
Description: This contract is missing the SPDX license Identifier before the pragma version.
Recommendation: Consider adding the SPDX license.
Severity: Informational
Context: IBaseRegistrar.sol
Description: This contract is missing the pragma version.
Recommendation: Consider adding the pragma version.
Severity: Informational
Context: All Contracts
Description: Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
Recommendation: Lock the pragma version.
Severity: Informational
Context: All Contracts
Description: Using very old versions of Solidity prevents benefits of bug fixes and newer security checks. Using the latest versions might make contracts susceptible to undiscovered compiler bugs.
Recommendation: Consider using the most recent version.
#0 - dmvt
2022-09-08T10:57:53Z
British English spellings should not be considered spelling errors.
π Selected for report: 0xKitsune
Also found by: 0x040, 0x1f8b, 0x29A, 0xNazgul, 0xNineDec, 0xsam, 8olidity, Aussie_Battlers, Aymen0909, Bnke0x0, CRYP70, Ch_301, Chom, Deivitto, Dravee, ElKu, Fitraldys, Funen, GimelSec, IllIllI, JC, JohnSmith, Lambda, MiloTruck, Noah3o6, RedOneN, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Tomio, Waze, _Adam, __141345__, ajtra, ak1, arcoun, asutorufos, benbaessler, brgltd, bulej93, c3phas, cRat1st0s, cryptonue, delfin454000, durianSausage, fatherOfBlocks, gogo, hake, hyh, joestakey, karanctf, kyteg, lcfr_eth, lucacez, m_Rassska, rajatbeladiya, rbserver, robee, rokinot, sach1r0, sahar, samruna, sashik_eth, seyni, simon135, zuhaibmohd
39.9648 USDC - $39.96
Context: RRUtils.sol, ETHRegistrarController.sol, ReverseRegistrar.sol, BytesUtil.sol, ERC1155Fuse.sol, Controllable.sol
Description: To save some gas the use of custom errors leads to cheaper deploy time cost and run time cost. The run time cost is only relevant when the revert condition is met.
Recommendation: Use Custom Errors instead of strings.
++index instead of index++ to increment a loop counterContext: BytesUtils.sol#L266, BytesUtils.sol#L313, DNSSECImpl.sol#L93, ETHRegistrarController.sol#L256, ERC1155Fuse.sol#L92, ERC1155Fuse.sol#L205
Description:
Due to reduced stack operations, using ++index saves 5 gas per iteration.
Recommendation:
Use ++index to increment a loop counter.
Context: BytesUtils.sol#L266, BytesUtils.sol#L313, DNSSECImpl.sol#L93, ETHRegistrarController.sol#L256, ERC1155Fuse.sol#L92, ERC1155Fuse.sol#L205
Description:
(This is only relevant if you are using the default solidity checked arithmetic). i++ involves checked arithmetic, which is not required. This is because the value of i is always strictly less than length <= 2**256 - 1. Therefore, the theoretical maximum value of i to enter the for-loop body is 2**256 - 2. This means that the i++ in the for loop can never overflow. Regardless, the overflow checks are performed by the compiler.
Unfortunately, the Solidity optimizer is not smart enough to detect this and remove the checks. One can manually do this by:
for (uint i = 0; i < length; i = unchecked_inc(i)) { // do something that doesn't change the value of i } function unchecked_inc(uint i) returns (uint) { unchecked { return i + 1; } }
Note that itβs important that the call to unchecked_inc is inlined. This is only possible for solidity versions starting from 0.8.2.
Recommendation: The increment in the for loop post condition can be made unchecked.
Context: BytesUtils.sol#L266, DNSSECImpl.sol#L93, RRUtils.sol#L310, ETHRegistrarController.sol#L256, ERC1155Fuse.sol#L92, ERC1155Fuse.sol#L205
Description: One can save gas by caching the array length (in stack) and using that set variable in the loop. Replace state variable reads and writes within loops with local variable reads and writes. This is done by assigning state variable values to new local variables, reading and/or writing the local variables in a loop, then after the loop assigning any changed local variables to their equivalent state variables.
Recommendation:
Simply do something like so before the for loop: uint length = variable.length. Then add length in place of variable.length in the for loop.
Context: All Contracts
Description:
Contracts most called functions could simply save gas by function ordering via Method ID. Calling a function at runtime will be cheaper if the function is positioned earlier in the order (has a relatively lower Method ID) because 22 gas are added to the cost of a function for every position that came before it. The caller can save on gas if you prioritize most called functions. One could use This tool to help find alternative function names with lower Method IDs while keeping the original name intact.
Recommendation:
Find a lower method ID name for the most called functions for example mostCalled() vs. mostCalled_41q() is cheaper by 44 gas.
Context: All Contracts
Description:
You can cut out 10 opcodes in the creation-time EVM bytecode if you declare a constructor payable. Making the constructor payable eliminates the need for an initial check of msg.value == 0 and saves 21 gas on deployment with no security risks.
Recommendation: Set the constructor to payable.