Platform: Code4rena
Start Date: 18/10/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 67
Period: 5 days
Judge: Picodes
Total Solo HM: 7
Id: 172
League: ETH
Rank: 28/67
Findings: 2
Award: $63.84
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: berndartmueller
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, Aymen0909, BClabs, Diana, Jeiwan, Lambda, LeoS, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, SaharAP, Trust, V_B, __141345__, a12jmx, bharg4v, brgltd, carlitox477, ch0bu, chaduke, cloudjunky, cryptostellar5, cryptphi, csanuragjain, d3e4, delfin454000, erictee, fatherOfBlocks, hansfriese, ignacio, joestakey, karanctf, ladboy233, lukris02, mcwildy, minhtrng, peanuts, ret2basic, seyni, slowmoses, svskaushik, tnevler, yixxas
37.8829 USDC - $37.88
_mint() is discouraged in favor of _safeMint() which ensures that the recipient is either an EOA or implements IERC721Receiver. Both OpenZeppelin and solmate have versions of this function so that NFTs aren’t lost if they’re minted to contracts that cannot transfer them back out.
There are 5 instances of this issue
File: contracts/JBTiered721Delegate.sol 461: _mint(_reservedTokenBeneficiary, _tokenId); 504: _mint(_beneficiary, _tokenId); 635: _mint(_beneficiary, _tokenId); 677: _mint(_beneficiary, _tokenId);
There are 2 instances of this issue
File: contracts/JBTiered721Delegate.sol 216: require(address(this) != codeOrigin); 218: require(address(store) == address(0));
In the contracts, floating pragmas should not be used. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
This issue exists on all In-scope contracts
Lock the pragma version
#0 - c4-judge
2022-11-05T09:32:02Z
Picodes marked the issue as grade-b
🌟 Selected for report: Jeiwan
Also found by: 0x1f8b, 0x4non, 0x5rings, 0xSmartContract, Awesome, Aymen0909, Bnke0x0, CodingNameKiki, Diana, DimSon, JC, JrNet, LeoS, RaymondFam, ReyAdmirado, Saintcode_, Shinchan, __141345__, berndartmueller, bharg4v, brgltd, carlitox477, ch0bu, chaduke, cryptostellar5, emrekocak, gogo, lukris02, martin, mcwildy, sakman, trustindistrust, zishansami
25.9629 USDC - $25.96
When using elements that are smaller than 32 bytes, your contract’s gas usage may be higher. This is because the EVM operates on 32 bytes at a time. Therefore, if the element is smaller than that, the EVM must use more operations in order to reduce the size of the element from 32 bytes to the desired size.
https://docs.soliditylang.org/en/v0.8.11/internals/layout_in_storage.html Use a larger size then downcast where needed
There are 11 instances of this issue:
File: contracts/JBTiered721Delegate.sol 480: function mintFor(uint16[] memory _tierIds, address _beneficiary) 558: uint16[] memory _tierIdsToMint; 563: (bytes32, bytes4, bool, bool, bool, uint16[]) 652: uint16[] memory _mintTierIds,
File: contracts/libraries/JBIpfsDecoder.sol 46: uint8[] memory digits = new uint8[](46); 48: uint8 digitlength = 1; 66: function _truncate(uint8[] memory _array, uint8 _length) private pure returns (uint8[] memory) { 67: uint8[] memory output = new uint8[](_length); 74: function _reverse(uint8[] memory _input) private pure returns (uint8[] memory) { 75: uint8[] memory output = new uint8[](_input.length); 82: function _toAlphabet(uint8[] memory _indices) private pure returns (bytes memory) {
Not inlining costs 20 to 40 gas because of two extra JUMP instructions and additional stack operations needed for function calls.
There are 4 instances of this issue
File: contracts/JB721TieredGovernance.sol 194-199: function _getTierVotingUnits(address _account, uint256 _tierId) internal view virtual returns (uint256) { 242-247: function _transferTierVotingUnits( address _from, address _to, uint256 _tierId, uint256 _amount ) internal virtual {
File: contracts/JBTiered721Delegate.sol 524: function _processPayment(JBDidPayData calldata _data) internal override { 598: function _didBurn(uint256[] memory _tokenIds) internal override {
There are 7 instances of this issue
File: contracts/JBTiered721DelegateStore.sol 354: supply += _storedTier.initialQuantity - _storedTier.remainingQuantity; 409: units += _balance * _storedTierOf[_nft][_i].votingUnits; 506: balance += tierBalanceOf[_nft][_owner][_i]; 534: weight += _storedTierOf[_nft][tierIdOfToken(_tokenIds[_i])].contributionFloor; 563-566: weight += (_storedTier.contributionFloor * (_storedTier.initialQuantity - _storedTier.remainingQuantity)) + _numberOfReservedTokensOutstandingFor(_nft, _i, _storedTier); 827: numberOfReservesMintedFor[msg.sender][_tierId] += _count;
File: contracts/libraries/JBIpfsDecoder.sol 52: carry += uint256(digits[j]) * 256;
If a variable is not set/initialized, it is assumed to have the default value (0 for uint, false for bool, address(0) for address…). Explicitly initializing it with its default value is an anti-pattern and wastes gas.
There are 5 instances of this issue
File: contracts/libraries/JBIpfsDecoder.sol 49: for (uint256 i = 0; i < _source.length; ++i) { 51: for (uint256 j = 0; j < digitlength; ++j) { 68: for (uint256 i = 0; i < _length; i++) { 76: for (uint256 i = 0; i < _input.length; i++) { 84: for (uint256 i = 0; i < _indices.length; i++) {
Saves 6 gas PER LOOP
Prefix increments are cheaper than postfix increments.
Further more, using unchecked {++i} is even more gas efficient, and the gas saving accumulates every iteration and can make a real change
But increments perform overflow checks that are not necessary in this case.
These functions use not using prefix increments (++i) and/or not using the unchecked keyword:
There are 6 instances of this issue
File: contracts/JBTiered721DelegateStore.sol 1106: numberOfBurnedFor[msg.sender][_tierId]++; 1108: _storedTierOf[msg.sender][_tierId].remainingQuantity++;
File: contracts/libraries/JBIpfsDecoder.sol 59: digitlength++; 68: for (uint256 i = 0; i < _length; i++) { 76: for (uint256 i = 0; i < _input.length; i++) { 84: for (uint256 i = 0; i < _indices.length; i++) {
In Solidity 0.8+, there’s a default overflow check on unsigned integers. It’s possible to uncheck this in for-loops and save some gas at each iteration, but at the cost of some code readability, as this uncheck cannot be made inline
Prior to Solidity 0.8.0, arithmetic operations would always wrap in case of under- or overflow leading to widespread use of libraries that introduce additional checks.
Since Solidity 0.8.0, all arithmetic operations revert on over- and underflow by default, thus making the use of these libraries unnecessary.
To obtain the previous behaviour, an unchecked block can be used
There are 5 instances of this issue
File: contracts/libraries/JBIpfsDecoder.sol 49: for (uint256 i = 0; i < _source.length; ++i) { 51: for (uint256 j = 0; j < digitlength; ++j) { 68: for (uint256 i = 0; i < _length; i++) { 76: for (uint256 i = 0; i < _input.length; i++) { 84: for (uint256 i = 0; i < _indices.length; i++) {
There are 4 instances of this issue
File: contracts/JB721GlobalGovernance.sol 32-40: function _getVotingUnits(address _account) internal view virtual override returns (uint256 units) { return store.votingUnitsOf(address(this), _account); }
File: contracts/JBTiered721Delegate.sol 123-125: function balanceOf(address _owner) public view override returns (uint256 balance) { return store.balanceOf(address(this), _owner); }
File: contracts/JBTiered721DelegateProjectDeployer.sol 107-135: function launchFundingCyclesFor( uint256 _projectId, JBDeployTiered721DelegateData memory _deployTiered721DelegateData, JBLaunchFundingCyclesData memory _launchFundingCyclesData ) external override requirePermission( controller.projects().ownerOf(_projectId), _projectId, JBOperations.RECONFIGURE ) returns (uint256 configuration) { // Deploy the delegate contract. IJBTiered721Delegate _delegate = delegateDeployer.deployDelegateFor( _projectId, _deployTiered721DelegateData ); // Set the delegate address as the data source of the provided metadata. _launchFundingCyclesData.metadata.dataSource = address(_delegate); // Set the project to use the data source for its pay function. _launchFundingCyclesData.metadata.useDataSourceForPay = true; // Launch the funding cycles. return _launchFundingCyclesFor(_projectId, _launchFundingCyclesData); } 150: function reconfigureFundingCyclesOf( uint256 _projectId, JBDeployTiered721DelegateData memory _deployTiered721DelegateData, JBReconfigureFundingCyclesData memory _reconfigureFundingCyclesData ) external override requirePermission( controller.projects().ownerOf(_projectId), _projectId, JBOperations.RECONFIGURE ) returns (uint256 configuration) { // Deploy the delegate contract. IJBTiered721Delegate _delegate = delegateDeployer.deployDelegateFor( _projectId, _deployTiered721DelegateData ); // Set the delegate address as the data source of the provided metadata. _reconfigureFundingCyclesData.metadata.dataSource = address(_delegate); // Set the project to use the data source for its pay function. _reconfigureFundingCyclesData.metadata.useDataSourceForPay = true; // Reconfigure the funding cycles. return _reconfigureFundingCyclesOf(_projectId, _reconfigureFundingCyclesData); }
If the functions are required by an interface, the contract should inherit from that interface and use the override keyword
There is 1 instance of this issue
File: contracts/JB721GlobalGovernance.sol 32-40: function _getVotingUnits(address _account) internal view virtual override returns (uint256 units) { return store.votingUnitsOf(address(this), _account); }
#0 - Picodes
2022-11-08T17:45:52Z
Some invalid findings, the last one for example as it's a contract with inheritance
#1 - c4-judge
2022-11-08T17:45:55Z
Picodes marked the issue as grade-b