Back to Bnke0x0's contests

Rigor Protocol contest - Bnke0x0's results

Community lending and instant payments for new home construction.

General Information

Platform: Code4rena

Start Date: 01/08/2022

Pot Size: $50,000 USDC

Total HM: 26

Participants: 133

Period: 5 days

Judge: Jack the Pug

Total Solo HM: 6

Id: 151

League: ETH

Rigor Protocol

Findings Distribution

Researcher Performance

Rank: 91/133

Findings: 2

Award: $62.34

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRigor Protocol

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x1f8b, 0x52, 0xA5DF, 0xNazgul, 0xNineDec, 0xSmartContract, 0xSolus, 0xf15ers, 0xkatana, 0xsolstars, 8olidity, Aymen0909, Bahurum, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Funen, GalloDaSballo, Guardian, IllIllI, JC, Jujic, MEP, Noah3o6, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, Soosh, Throne6g, TomJ, Tomio, TrungOre, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, arcoun, asutorufos, ayeslick, benbaessler, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, byndooa, c3phas, codexploder, cryptonue, cryptphi, defsec, delfin454000, dipp, djxploit, erictee, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hyh, ignacio, indijanc, joestakey, kaden, mics, minhquanym, neumo, obront, oyc_109, p_crypt0, pfapostol, poirots, rbserver, robee, rokinot, rotcivegaf, sach1r0, saian, samruna, saneryee, scaraven, sikorico, simon135, sseefried, supernova

Awards

40.6216 USDC - $40.62

Labels

bug
QA (Quality Assurance)
valid

External Links

Link to GitHub issue

[L-01] Missing checks for address(0x0) when assigning values to address state variables:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L56#L57 :

    _decimals = decimals_; communityContract = _communityContract;

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L53#L54:

    underlying = _underlying; homeFi = _homeFi;

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L70 :

    underlying = _underlying;

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L87:

    _clone = ClonesUpgradeable.clone(underlying);

  5. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L80:

    homeFi = IHomeFi(_homeFi);

  6. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L114#L119 :

    treasury = _treasury; lenderFee = _lenderFee; // the percentage must be multiplied with 10 tokenCurrency1 = _tokenCurrency1; tokenCurrency2 = _tokenCurrency2; tokenCurrency3 = _tokenCurrency3; trustedForwarder = _forwarder;

  7. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L145#L151:

    projectFactoryInstance = IProjectFactory(_projectFactory); communityContract = _communityContract; disputesContract = _disputesContract; wrappedToken[tokenCurrency1] = _hTokenCurrency1; wrappedToken[tokenCurrency2] = _hTokenCurrency2; wrappedToken[tokenCurrency3] = _hTokenCurrency3; addrSet = true;

  8. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L165 :

    admin = _newAdmin;

  9. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L179:

    treasury = _newTreasury;

  10. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L194:

    lenderFee = _newLenderFee;

  11. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L206 :

    trustedForwarder = _newForwarder;

  12. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L103 :

    builder = _sender;

  13. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L156:

    contractorDelegated = _bool;

  14. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.solL772 :

    totalLent -= _amount;

[L-02] Front-runable initializer:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L43#L48 :

    function initialize( address _communityContract, string memory name_, string memory symbol_, uint8 decimals_ ) external override initializer {

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L45#L51:

    function initialize(address _underlying, address _homeFi) external override initializer nonZero(_underlying) nonZero(_homeFi) {

[L-03] Use a more recent version of solidity:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L1 :

// SPDX-License-Identifier: MIT

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L1:

// SPDX-License-Identifier: MIT

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L1 :

// SPDX-License-Identifier: MIT

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L1:

// SPDX-License-Identifier: MIT

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L1:

// SPDX-License-Identifier: MIT

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L1:

// SPDX-License-Identifier: MIT

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L1:

// SPDX-License-Identifier: MIT

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/SignatureDecoder.sol#L1:

// SPDX-License-Identifier: MIT

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/Tasks.sol#L1:

// SPDX-License-Identifier: MIT

[L-04] Upgradeable contract is missing a __gap[50] storage variable to allow for new storage variables in later versions:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L11 :

contract DebtToken is IDebtToken, ERC20Upgradeable {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L16#l20:

contract ProjectFactory is IProjectFactory, Initializable, ERC2771ContextUpgradeable {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L14 :

contract HomeFiProxy is OwnableUpgradeable {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L17#L21:

contract Disputes is IDisputes, ReentrancyGuardUpgradeable, ERC2771ContextUpgradeable {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L27#L32:

contract HomeFi is IHomeFi, ReentrancyGuardUpgradeable, ERC721URIStorageUpgradeable, ERC2771ContextUpgradeable {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L24#L28:

contract Project is IProject, ReentrancyGuardUpgradeable, ERC2771ContextUpgradeable {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L21#L26:

contract Community is ICommunity, PausableUpgradeable, ReentrancyGuardUpgradeable, ERC2771ContextUpgradeable {

[N-01] Adding a return statement when the function defines a named return variable, is redundant :-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L83 :

return _decimals;

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L104:

return IHomeFi(homeFi).isTrustedForwarder(_forwarder);

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L169 :

return contractsActive[_address];

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L182:

return contractAddress[_contractName];

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L193:

return homeFi.isTrustedForwarder(_forwarder);

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L565 :

return _changeOrderedTask;

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L628 :

return _members;

[N-02] constants should be defined rather than using magic numbers:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/SignatureDecoder.sol#L25 :

if (messageSignatures.length % 65 != 0) {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/SignatureDecoder.sol#L35:

if (v != 27 && v != 28) {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L394 :

(_projectInstance.lenderFee() + 1000);

[N-03] Use a more recent version of solidity (Use a solidity version of at least 0.8.12 to get string.concat() to be used instead of abi.encodePacked(<str>,<str>)):-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/SignatureDecoder.sol#L3 :

pragma solidity 0.8.6;

[N-04] Use of sensitive/non-inclusive terms:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L582 :

bool _exceedLimit;

[N-05] public functions not called by the contract should be declared external instead :-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L82#L105 :

`function decimals() public view virtual override returns (uint8) { return _decimals; }

/*******************************************************************************

  • ----------------------------PUBLIC TRANSACTIONS---------------------------- * *******************************************************************************/

/// @notice blocked implementation function transferFrom( address, /* _sender / address, / _recipient / uint256 / _amount */ ) public pure override(ERC20Upgradeable, IERC20Upgradeable) returns (bool) { revert("DebtToken::blocked"); }

/// @notice blocked implementation function transfer( address, /* recipient / uint256 / amount */ ) public pure override(ERC20Upgradeable, IERC20Upgradeable) returns (bool) { revert("DebtToken::blocked"); }`

  1. https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L98#L103:

function isTrustedForwarder(address _forwarder) public view override(ERC2771ContextUpgradeable, IProjectFactory) returns (bool) {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L168#L172 :

function assertMember( address _project, uint256 _taskID, address _address ) public view override {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L187#L192:

function isTrustedForwarder(address _forwarder) public view override(ERC2771ContextUpgradeable, IDisputes) returns (bool) {

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L253#L271:

` function validCurrency(address _currency) public view override { // _currency must be one of HomeFi supported currencies require( _currency == tokenCurrency1 || _currency == tokenCurrency2 || _currency == tokenCurrency3, "HomeFi::!Currency" ); }

/// @inheritdoc IHomeFi function isTrustedForwarder(address _forwarder) public view override(ERC2771ContextUpgradeable, IHomeFi) returns (bool) { return trustedForwarder == _forwarder; }`

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L705#L733:

` function projectCost() public view override returns (uint256 _cost) { // Local instance of taskCount. To save gas. uint256 _length = taskCount;

  // Iterate over all tasks to sum their cost
  for (uint256 _taskID = 1; _taskID <= _length; _taskID++) {
      _cost += tasks[_taskID].cost;
  }

}

/// @inheritdoc IProject function getAlerts(uint256 _taskID) public view override returns (bool[3] memory _alerts) { return tasks[_taskID].getAlerts(); }

/// @inheritdoc IProject function isTrustedForwarder(address _forwarder) public view override(ERC2771ContextUpgradeable, IProject) returns (bool) { return homeFi.isTrustedForwarder(_forwarder); }`

#0 - zgorizzo69

2022-08-08T18:42:06Z

L-01 If you look at the modifiers lot of them are actually check against address(0) L-03 why ? L-04 only applicable for base contracts the mentioned contracts doesn't inherit from base class that is missing a gap N-5 please note that not all the functions can be made external as they are part of overridden base functions N-4 What has it to do with security and gas optimization !? N-3 we need to be able to decode so using string concat is not ideal N-1 none of these functions returned a named return variable

Findings Information

🌟 Selected for report: c3phas

Also found by: 0x040, 0x1f8b, 0xA5DF, 0xNazgul, 0xSmartContract, 0xSolus, 0xc0ffEE, 0xkatana, 0xsam, 8olidity, Aymen0909, Bnke0x0, CertoraInc, Chinmay, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Extropy, Fitraldys, Funen, GalloDaSballo, Guardian, IllIllI, JC, Lambda, MEP, Metatron, MiloTruck, Noah3o6, NoamYakov, PaludoX0, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, SooYa, TomJ, Tomio, Waze, _Adam, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, ballx, benbaessler, bharg4v, bobirichman, brgltd, cryptonue, defsec, delfin454000, dharma09, djxploit, durianSausage, eierina, erictee, fatherOfBlocks, gerdusx, gogo, hake, hyh, ignacio, jag, kaden, kyteg, lucacez, mics, minhquanym, oyc_109, pfapostol, rbserver, ret2basic, robee, rokinot, sach1r0, saian, samruna, scaraven, sikorico, simon135, supernova, teddav, tofunmi, zeesaw

Awards

21.7232 USDC - $21.72

Labels

bug
G (Gas Optimization)
valid

External Links

Link to GitHub issue

[G-01] State variables only set in the constructor should be declared immutable :-

  1. https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L16 :

    uint8 internal _decimals;

  2. https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L23 :

    address public override communityContract;

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L25#L28 :

    ' /// @inheritdoc IProjectFactory address public override underlying; /// @inheritdoc IProjectFactory address public override homeFi;'

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L19#L23 :

    ` /// @notice Address of proxy admin ProxyAdmin public proxyAdmin;

/// @notice bytes2 array of upgradable contracts initials

bytes2[] public allContractNames;`

5. https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L26#L29 :

  ` /// @inheritdoc IDisputes
IHomeFi public override homeFi;
/// @inheritdoc IDisputes
uint256 public override disputeCount; //starts from 0`

6. https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L37#L60 :

  `/// @inheritdoc IHomeFi
address public override tokenCurrency1;
/// @inheritdoc IHomeFi
address public override tokenCurrency2;
/// @inheritdoc IHomeFi
address public override tokenCurrency3;
/// @inheritdoc IHomeFi
IProjectFactory public override projectFactoryInstance;
/// @inheritdoc IHomeFi
address public override disputesContract;
/// @inheritdoc IHomeFi
address public override communityContract;
/// @inheritdoc IHomeFi
bool public override addrSet;
/// @inheritdoc IHomeFi
address public override admin;
/// @inheritdoc IHomeFi
address public override treasury;
/// @inheritdoc IHomeFi
uint256 public override lenderFee;
/// @inheritdoc IHomeFi
uint256 public override projectCount;
/// @inheritdoc IHomeFi
address public override trustedForwarder;`

7. https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L51#L82 :

  ` /// @inheritdoc IProject
IHomeFi public override homeFi;
/// @inheritdoc IProject
IDebtToken public override currency;
/// @inheritdoc IProject
uint256 public override lenderFee;
/// @inheritdoc IProject
address public override builder;
/// @inheritdoc IProject
uint256 public constant override VERSION = 25000;

/*******************************************************************************
 * ---------------------VARIABLE PUBLIC STORED PROPERTIES--------------------- *
 *******************************************************************************/
/// @inheritdoc IProject
address public override contractor;
/// @inheritdoc IProject
bool public override contractorConfirmed;
/// @inheritdoc IProject
uint256 public override hashChangeNonce;
/// @inheritdoc IProject
uint256 public override totalLent;
/// @inheritdoc IProject
uint256 public override totalAllocated;
/// @inheritdoc IProject
uint256 public override taskCount;
/// @inheritdoc IProject
bool public override contractorDelegated;
/// @inheritdoc IProject
uint256 public override lastAllocatedTask;
/// @inheritdoc IProject
uint256 public override lastAllocatedChangeOrderTask;`

4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L33#L35 :

  `address internal tokenCurrency1;
address internal tokenCurrency2;
address internal tokenCurrency3;`

5. https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L48#L57 :

  `  IHomeFi public override homeFi;

/*******************************************************************************
 * ---------------------VARIABLE PUBLIC STORED PROPERTIES--------------------- *
 *******************************************************************************/

/// @inheritdoc ICommunity
bool public override restrictedToAdmin;
/// @inheritdoc ICommunity
uint256 public override communityCount;`

[G-02] x = x + y is cheaper than x += y :-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L431 :

    totalAllocated -= _withdrawDifference;

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L456:

    totalAllocated -= _taskCost;

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L616 :

    _costToAllocate -= _taskCost;

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L663:

    _costToAllocate -= _taskCost;

  5. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L772:

    totalLent -= _amount;

  6. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L798 :

    _interest -= _repayAmount;

  7. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L440:

    totalAllocated += _newCost - _taskCost;

  8. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L771 :

    _cost += tasks[_taskID].cost;

  9. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L423:

    .totalLent += _amountToProject;

  10. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L435:

    lentAmount += _lendingAmount;

[G-03] <array>.length should not be looked up in every loop of a for-loop :-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L603 :

    for (; i < _changeOrderedTask.length; i++) {

[G-04] Use prefix not postfix in loops (Using a prefix increment (++i) instead of a postfix increment (i++) saves gas for each loop cycle and so can have a big gas impact when the loop executes on a large number of elements.) :- :-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L87 :

    for (uint256 i = 0; i < _length; i++) {

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L136:

    for (uint256 i = 0; i < _length; i++) {

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L248 :

    for (uint256 i = 0; i < _length; i++) {

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L311:

    for (uint256 i = 0; i < _length; i++) {

  5. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L322:

    for (uint256 i = 0; i < _length; i++) {

  6. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L368 :

    for (uint256 _taskID = 1; _taskID <= _length; _taskID++) {

  7. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L603:

    for (; i < _changeOrderedTask.length; i++) {

  8. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L625 :

    _loopCount++;

  9. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L650:

    for (++j; j <= taskCount; j++) {

  10. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L672:

    _loopCount++;

  11. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L710:

    for (uint256 _taskID = 1; _taskID <= _length; _taskID++) {

  12. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L140:

    communityCount++;

  13. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L266:

    _community.publishNonce = ++_community.publishNonce;

  14. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L624:

    for (uint256 i = 0; i < _communities[_communityID].memberCount; i++) {

  15. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/Tasks.sol#L181:

    for (uint256 i = 0; i < _length; i++) _alerts[i] = _self.alerts[i];

[G-05] Not using the named return variables when a function returns, wastes deployment gas :-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L83 :

    return _decimals;

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L104:

    return IHomeFi(homeFi).isTrustedForwarder(_forwarder);

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L169 :

    return contractsActive[_address];

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L182:

    return contractAddress[_contractName];

  5. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L193:

    return homeFi.isTrustedForwarder(_forwarder);

  6. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L565 :

    return _changeOrderedTask;

  7. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L628 :

    return _members;

[G-06] Using > 0 costs more gas than != 0 when used on a uint in a require() statement :-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L106#L109 :

    require( _actionType > 0 && _actionType <= uint8(ActionType.TaskPay), "Disputes::!ActionType" );

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L195:

    require(_cost > 0, "Project::!value>0");

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L764 :

    require(_repayAmount > 0, "Community::!repay");

[G-07] It costs more gas to initialize variables to zero than to let the default of zero be applied :-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L87 :

    for (uint256 i = 0; i < _length; i++) {

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L136:

    for (uint256 i = 0; i < _length; i++) {

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L248 :

    for (uint256 i = 0; i < _length; i++) {

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L311:

    for (uint256 i = 0; i < _length; i++) {

  5. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L322:

    for (uint256 i = 0; i < _length; i++) {

  6. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L624:

    for (uint256 i = 0; i < _communities[_communityID].memberCount; i++) {

  7. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/Tasks.sol#L181:

    for (uint256 i = 0; i < _length; i++) _alerts[i] = _self.alerts[i];

  8. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L636:

    lastAllocatedChangeOrderTask = 0;

  9. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L793:

    _interest = 0;

[G-08] Splitting require() statements that use && saves gas :-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L61#L65 :

    require( _disputeID < disputeCount && disputes[_disputeID].status == Status.Active, "Disputes::!Resolvable" );

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L106#L109:

    require( _actionType > 0 && _actionType <= uint8(ActionType.TaskPay), "Disputes::!ActionType" );

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L189#L192 :

    require( _sender == builder || _sender == homeFi.communityContract(), "Project::!Builder&&!Community" );

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L353#L357:

    require( _lendingNeeded >= _communityProject.totalLent && _lendingNeeded <= IProject(_project).projectCost(), "Community::invalid lending" );

[G-09] Usage of uints/ints smaller than 32 bytes (256 bits) incurs overhead:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L16 :

    uint8 internal _decimals;

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L47:

    uint8 decimals_

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L82 :

    function decimals() public view virtual override returns (uint8) {

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L100:

    uint8 _actionType,

  5. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L107:

    _actionType > 0 && _actionType <= uint8(ActionType.TaskPay),

  6. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/SignatureDecoder.sol#L49:

    uint8 v

  7. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/SignatureDecoder.sol#L65:

    uint8 v,

[G-10] Duplicated require()/revert() checks should be refactored to a modifier or function:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L241 :

    require(_projectAddress == address(this), "Project::!projectAddress");

[G-11] Use custom errors rather than revert()/require() strings to save deployment gas:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L31#L34 :

    require( communityContract == _msgSender(), "DebtToken::!CommunityContract" );

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L50:

    require(_communityContract != address(0), "DebtToken::0 address");

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L36 :

    require(_address != address(0), "PF::0 address");

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L64#L67:

    require( _msgSender() == IHomeFi(homeFi).admin(), "ProjectFactory::!Owner" );

  5. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L84:

    require(_msgSender() == homeFi, "PF::!HomeFiContract");

  6. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L41 :

    require(_address != address(0), "Proxy::0 address");

  7. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L81:

    require(_length == _implementations.length, "Proxy::Lengths !match");

  8. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L105#L108 :

    require( contractAddress[_contractName] == address(0), "Proxy::Name !OK" )

  9. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L133:

    require(_length == _contractAddresses.length, "Proxy::Lengths !match");

  10. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L39 :

    require(_address != address(0), "Disputes::0 address");

  11. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L46:

    require(homeFi.admin() == _msgSender(), "Disputes::!Admin");

  12. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L52 :

    require(homeFi.isProjectExist(_msgSender()), "Disputes::!Project");

  13. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L61#L65:

    require( _disputeID < disputeCount && disputes[_disputeID].status == Status.Active, "Disputes::!Resolvable" );

  14. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L106#L109:

    require( _actionType > 0 && _actionType <= uint8(ActionType.TaskPay), "Disputes::!ActionType" );

  15. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L183 :

    require(_result, "Disputes::!Member");

  16. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L73 :

    require(admin == _msgSender(), "HomeFi::!Admin");

  17. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L78:

    require(_address != address(0), "HomeFi::0 address");

  18. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L84 :

    require(_oldAddress != _newAddress, "HomeFi::!Change");

  19. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L142:

    require(!addrSet, "HomeFi::Set");

  20. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L191:

    require(lenderFee != _newLenderFee, "HomeFi::!Change");

  21. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L255#L260 :

    require( _currency == tokenCurrency1 || _currency == tokenCurrency2 || _currency == tokenCurrency3, "HomeFi::!Currency" );

  22. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L123 :

    require(!contractorConfirmed, "Project::GC accepted");

  23. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L132:

    require(_projectAddress == address(this), "Project::!projectAddress");

  24. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L135 :

    require(_contractor != address(0), "Project::0 address");

  25. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L150#L153:

    `require(_msgSender() == builder, "Project::!B");

    // Revert if contract not assigned
require(contractor != address(0), "Project::0 address");`

  26. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L176:

    require(_nonce == hashChangeNonce, "Project::!Nonce");

  27. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L189#L202 :

    `require( _sender == builder || _sender == homeFi.communityContract(), "Project::!Builder&&!Community" );

    // Revert if try to lend 0
require(_cost > 0, "Project::!value>0");

// Revert if try to lend more than project cost
uint256 _newTotalLent = totalLent + _cost;
require(
    projectCost() >= uint256(_newTotalLent),
    "Project::value>required"
);`

  28. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L238#L245:

    ` require(_taskCount == taskCount, "Project::!taskCount");

    // Revert if decoded project address does not match this contract. Indicating incorrect _data.
require(_projectAddress == address(this), "Project::!projectAddress");

// Revert if IPFS hash array length is not equal to task cost array length.
uint256 _length = _hash.length;
require(_length == _taskCosts.length, "Project::Lengths !match");`

  29. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L277 :

    require( require(_nonce == hashChangeNonce, "Project::!Nonce");

  30. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L301#L304:

    require( _msgSender() == builder || _msgSender() == contractor, "Project::!Builder||!GC" );

  31. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L308 :

    require(_length == _scList.length, "Project::Lengths !match");

  32. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L341:

    require(_projectAddress == address(this), "Project::!Project");

  33. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L369 :

    require(tasks[_taskID].getState() == 3, "Project::!Complete");

  34. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L511#L530:

    `require(_project == address(this), "Project::!projectAddress");

    if (_task == 0) {
    // Revet if sender is not builder or contractor
    require(
        signer == builder || signer == contractor,
        "Project::!(GC||Builder)"
    );
} else {
    // Revet if sender is not builder, contractor or task's subcontractor
    require(
        signer == builder ||
            signer == contractor ||
            signer == tasks[_task].subcontractor,
        "Project::!(GC||Builder||SC)"
    );

    if (signer == tasks[_task].subcontractor) {
        // If sender is task's subcontractor, revert if invitation is not accepted.
        require(getAlerts(_task)[2], "Project::!SCConfirmed");
    }`

  35. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L753:

    require(_sc != address(0), "Project::0 address");

  36. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L886#L889 :

    require( _recoveredSignature == _address || approvedHashes[_address][_hash], "Project::invalid signature" );

  37. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L906#L909 :

    require( ((_amount / 1000) * 1000) == _amount, "Project::Precision>=1000" );

  38. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/Tasks.sol#L44 :

    require(_self.state == TaskStatus.Inactive, "Task::active");

  39. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/Tasks.sol#L50:

    require(_self.state == TaskStatus.Active, "Task::!Active");

  40. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/Tasks.sol#L56#L59 :

    require( _self.alerts[uint256(Lifecycle.TaskAllocated)], "Task::!funded" );

  41. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/Tasks.sol#L124:

    require(_self.subcontractor == _sc, "Task::!SC");}

  42. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L69#L93 :

    ` require(_address != address(0), "Community::0 address"); _; }

    modifier onlyHomeFiAdmin() { // Revert if sender is not homeFi admin require(_msgSender() == homeFi.admin(), "Community::!admin"); _; }

    modifier isPublishedToCommunity(uint256 _communityID, address _project) { // Revert if _project is not published to _communityID require( projectPublished[_project] == _communityID, "Community::!published" ); _; }

    modifier onlyProjectBuilder(address _project) { // Revert if sender is not _project builder require( _msgSender() == IProject(_project).builder(), "Community::!Builder" );`

  43. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L131#L134:

    require( !restrictedToAdmin || _sender == homeFi.admin(), "Community::!admin" );

  44. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L159#L162 :

    require( _communities[_communityID].owner == _msgSender(), "Community::!owner" );

  45. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L191#L194:

    require( !_community.isMember[_newMemberAddr], "Community::Member Exists" );

  46. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L235#L254:

    `require( _publishNonce == _community.publishNonce, "Community::invalid publishNonce" );

    // Reverts if _project not originated from HomeFi
require(homeFi.isProjectExist(_project), "Community::Project !Exists");

// Local instance of variables. For saving gas.
IProject _projectInstance = IProject(_project);
address _builder = _projectInstance.builder();

// Revert if project builder is not community member
require(_community.isMember[_builder], "Community::!Member");

// Revert if project currency does not match community currency
require(
    _projectInstance.currency() == _community.currency,
    "Community::!Currency"
);`

  47. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L312#L315 :

    require( !_communityProject.publishFeePaid, "Community::publish fee paid" );

  48. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L347#L357:

    `require( _communityProject.publishFeePaid, "Community::publish fee !paid" );

    // Revert if _lendingNeeded is more than projectCost or less than what is already lent
require(
    _lendingNeeded >= _communityProject.totalLent &&
        _lendingNeeded <= IProject(_project).projectCost(),
    "Community::invalid lending"
);`

  49. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L384#L387 :

    require( _sender == _communities[_communityID].owner, "Community::!owner" );

  50. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L400#L409:

    require( _amountToProject <= _communities[_communityID] .projectDetails[_project] .lendingNeeded - _communities[_communityID] .projectDetails[_project] .totalLent, "Community::lending>needed" );

  51. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L491#L495 :

    require( _msgSender() == _communities[_communityID].owner, "Community::!Owner" );

  52. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L536#L542:

    ` require(_builder == _projectInstance.builder(), "Community::!Builder");

    // Revert if decoded _communityID's owner is not decoded _lender
require(
    _lender == _communities[_communityID].owner,
    "Community::!Owner"
);`

  53. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L557 :

    require(!restrictedToAdmin, "Community::restricted");

  54. https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L568:

    require(restrictedToAdmin, "Community::!restricted");

  55. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L764:

    require(_repayAmount > 0, "Community::!repay");

  56. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L792 :

    require(_lentAndInterest >= _repayAmount, "Community::!Liquid");

  57. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L886#L889 :

    require( _recoveredSignature == _address || approvedHashes[_address][_hash], "Community::invalid signature" );

[G-09] Use a more recent version of solidity:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L3 :

    pragma solidity 0.8.6;

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L3:

    pragma solidity 0.8.6;

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L3 :

    pragma solidity 0.8.6;

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L3:

    pragma solidity 0.8.6;

  5. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L3:

    pragma solidity 0.8.6;

  6. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L3:

    pragma solidity 0.8.6;

  7. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L3:

    pragma solidity 0.8.6;

  8. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/SignatureDecoder.sol#L3:

    pragma solidity 0.8.6;

  9. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/Tasks.sol#L3:

    pragma solidity 0.8.6;

[G-10] Functions guaranteed to revert when called by normal users can be marked Ø°payableØ°:-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L61#L76 :

    `function mint(address _to, uint256 _total) external override onlyCommunityContract { _mint(_to, _total); }

    /// @inheritdoc IDebtToken function burn(address _to, uint256 _total) external override onlyCommunityContract { _burn(_to, _total); }`

  2. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L100#L103:

    function addNewContract(bytes2 _contractName, address _contractAddress) external onlyOwner {

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L125#L128 :

    function upgradeMultipleImplementations( bytes2[] calldata _contractNames, address[] calldata _contractAddresses ) external onlyOwner {

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFiProxy.sol#L150#L154:

    function changeProxyAdminOwner(address _newAdmin) external onlyOwner nonZero(_newAdmin) {

  5. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L84#L88:

    function raiseDispute(bytes calldata _data, bytes calldata _signature) external override onlyProject {

  6. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L141#L145:

    function resolveDispute( uint256 _disputeID, bytes calldata _judgement, bool _ratify ) external override onlyAdmin nonReentrant resolvable(_disputeID) {

  7. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L123#L140:

    function setAddr( address _projectFactory, address _communityContract, address _disputesContract, address _hTokenCurrency1, address _hTokenCurrency2, address _hTokenCurrency3 ) external override onlyAdmin nonZero(_projectFactory) nonZero(_communityContract) nonZero(_disputesContract) nonZero(_hTokenCurrency1) nonZero(_hTokenCurrency2) nonZero(_hTokenCurrency3) {

  8. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L157#L189:

    ` function replaceAdmin(address _newAdmin) external override onlyAdmin nonZero(_newAdmin) noChange(admin, _newAdmin) { // Replace admin admin = _newAdmin;

     emit AdminReplaced(_newAdmin);

    }

    /// @inheritdoc IHomeFi function replaceTreasury(address _newTreasury) external override onlyAdmin nonZero(_newTreasury) noChange(treasury, _newTreasury) { // Replace treasury treasury = _newTreasury;

     emit TreasuryReplaced(_newTreasury);

    }

    /// @inheritdoc IHomeFi function replaceLenderFee(uint256 _newLenderFee) external override onlyAdmin {`

  9. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L200#L205:

    function setTrustedForwarder(address _newForwarder) external override onlyAdmin noChange(trustedForwarder, _newForwarder) {

  10. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L285#L304 :

    ` function unpublishProject(uint256 _communityID, address _project) external override whenNotPaused isPublishedToCommunity(_communityID, _project) onlyProjectBuilder(_project) { // Call internal function to unpublish project _unpublishProject(_project); }

    /// @inheritdoc ICommunity function payPublishFee(uint256 _communityID, address _project) external override nonReentrant whenNotPaused isPublishedToCommunity(_communityID, _project) onlyProjectBuilder(_project) {`

  11. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L331#L341:

    function toggleLendingNeeded( uint256 _communityID, address _project, uint256 _lendingNeeded ) external override whenNotPaused isPublishedToCommunity(_communityID, _project) onlyProjectBuilder(_project) {

  12. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L455#L466 :

    function repayLender( uint256 _communityID, address _project, uint256 _repayAmount ) external virtual override nonReentrant whenNotPaused onlyProjectBuilder(_project) {

  13. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L555#L584:

    ` function restrictToAdmin() external override onlyHomeFiAdmin { // Revert if already restricted to admin require(!restrictedToAdmin, "Community::restricted");

    // Disable community creation for non admins
restrictedToAdmin = true;

emit RestrictedToAdmin(_msgSender());

    }

    /// @inheritdoc ICommunity function unrestrictToAdmin() external override onlyHomeFiAdmin { // Revert if already unrestricted to admin require(restrictedToAdmin, "Community::!restricted");

    // Allow community creation for all
restrictedToAdmin = false;

emit UnrestrictedToAdmin(_msgSender());

    }

    /// @inheritdoc ICommunity function pause() external override onlyHomeFiAdmin { _pause(); }

    /// @inheritdoc ICommunity function unpause() external override onlyHomeFiAdmin { _unpause(); }`

  14. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/libraries/Tasks.sol#L88#L122:

    ` function setComplete(Task storage _self) internal onlyActive(_self) onlyFunded(_self) { // State/ Lifecycle // _self.state = TaskStatus.Complete; }

    // Subcontractor Joining //

    /**

    • @dev Invite a subcontractor to the task
    • @dev modifier onlyInactive
    • @param _self Task the task being joined by subcontractor
    • @param _sc address the subcontractor being invited */ function inviteSubcontractor(Task storage _self, address _sc) internal onlyInactive(_self) { _self.subcontractor = _sc; }

    /**

    • @dev As a subcontractor, accept an invitation to participate in a task.
    • @dev modifier onlyInactive
    • @param _self Task the task being joined by subcontractor
    • @param _sc Address of sender */ function acceptInvitation(Task storage _self, address _sc) internal onlyInactive(_self) {`

[G-11] Public functions to external-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/DebtToken.sol#L82#L105 :

    `function decimals() public view virtual override returns (uint8) { return _decimals; }

    /*******************************************************************************

    • ----------------------------PUBLIC TRANSACTIONS---------------------------- * *******************************************************************************/

    /// @notice blocked implementation function transferFrom( address, /* _sender / address, / _recipient / uint256 / _amount */ ) public pure override(ERC20Upgradeable, IERC20Upgradeable) returns (bool) { revert("DebtToken::blocked"); }

    /// @notice blocked implementation function transfer( address, /* recipient / uint256 / amount */ ) public pure override(ERC20Upgradeable, IERC20Upgradeable) returns (bool) { revert("DebtToken::blocked"); }`

  2. https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/ProjectFactory.sol#L98#L103:

    function isTrustedForwarder(address _forwarder) public view override(ERC2771ContextUpgradeable, IProjectFactory) returns (bool) {

  3. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L168#L172 :

    function assertMember( address _project, uint256 _taskID, address _address ) public view override {

  4. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Disputes.sol#L187#L192:

    function isTrustedForwarder(address _forwarder) public view override(ERC2771ContextUpgradeable, IDisputes) returns (bool) {

  5. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L253#L271:

    ` function validCurrency(address _currency) public view override { // _currency must be one of HomeFi supported currencies require( _currency == tokenCurrency1 || _currency == tokenCurrency2 || _currency == tokenCurrency3, "HomeFi::!Currency" ); }

    /// @inheritdoc IHomeFi function isTrustedForwarder(address _forwarder) public view override(ERC2771ContextUpgradeable, IHomeFi) returns (bool) { return trustedForwarder == _forwarder; }`

  6. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Project.sol#L705#L733:

    ` function projectCost() public view override returns (uint256 _cost) { // Local instance of taskCount. To save gas. uint256 _length = taskCount;

     // Iterate over all tasks to sum their cost
 for (uint256 _taskID = 1; _taskID <= _length; _taskID++) {
     _cost += tasks[_taskID].cost;
 }

    }

    /// @inheritdoc IProject function getAlerts(uint256 _taskID) public view override returns (bool[3] memory _alerts) { return tasks[_taskID].getAlerts(); }

    /// @inheritdoc IProject function isTrustedForwarder(address _forwarder) public view override(ERC2771ContextUpgradeable, IProject) returns (bool) { return homeFi.isTrustedForwarder(_forwarder); }`

[G-12] Multiple address mappings can be combined into a single mapping of an address to a struct, where appropriate :-

  1. File: https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/HomeFi.sol#L64#L66 :

    mapping(address => uint256) public override projectTokenId; /// @inheritdoc IHomeFi mapping(address => address) public override wrappedToken;

  2. https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L59#L61:

    mapping(address => uint256) public override projectPublished; /// @inheritdoc ICommunity mapping(address => mapping(bytes32 => bool)) public override approvedHashes;

#0 - zgorizzo69

2022-08-08T16:17:54Z

very extensive gas optimization report thanks

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter