Platform: Code4rena
Start Date: 08/03/2023
Pot Size: $60,500 USDC
Total HM: 2
Participants: 123
Period: 7 days
Judge: hansfriese
Id: 220
League: ETH
Rank: 84/123
Findings: 1
Award: $29.67
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0x1f8b, 0x6980, 0xAgro, 0xSolus, 0xhacksmithh, 0xkazim, ABA, BPZ, BowTiedOriole, ChainReview, DadeKuma, DeFiHackLabs, Deathstore, DevABDee, Diana, Dravee, Dug, Englave, Go-Langer, Haipls, IceBear, Inspex, Jeiwan, Kek, Kresh, Madalad, MatricksDeCoder, MyFDsYours, RaymondFam, Rolezn, SAAJ, Sathish9098, Taloner, Udsen, Viktor_Cortess, atharvasama, ayden, brgltd, btk, carlitox477, catellatech, chaduke, codeislight, deadrxsezzz, descharre, erictee, fatherOfBlocks, favelanky, glcanvas, handsomegiraffe, jasonxiale, jekapi, joestakey, lemonr, luxartvinsec, martin, matrix_0wl, minhquanym, mrpathfindr, nadin, oyc_109, parsely, peanuts, pfedprog, rbserver, rokso, saian, santipu_, scokaf, slvDev, tsvetanovv, ubl4nk, ulqiorra, yamapyblack, zaskoh
29.6697 USDC - $29.67
L01. Missing zero validations in constructors
Both BYTES2 and NeoTokyoStaker constructors set up immutable variables without zero address checks. In case of mistakes deploy with default values there would be no possibility to update addresses for BYTES1, S1_CITIZEN, S2_CITIZEN, IDENTITY, and VAULT. Which could result in the need for contract redeployment and pay extra Gas.
Recommendation: Add zero checks during contract initialization
L02. Solidity style guide violation. According to the Solidity style guide, - upper-case variable naming should be applied only for constants, but now mutable state variables are named in the same style.
Recommendation: Renamed STAKER, TREASURY, VAULT_CAP, NO_VAULT_CAP, LP to use lower case
L03. Missing event editing during critical changes in contract Events should be emitted during changes in the contract to simplify the off-chain analysis of contract behavior.
Recommendation: Add event tracking in changeStakingContractAddress, changeTreasuryContractAddress, configureCaps, configurePools, configureVaultCreditMultipliers, configureIdentityCreditPoints, configureIdentityCreditYields, configureTimelockOptions, lockLP, configureLP functions.
L04. Typos
Fix typos in contract NatSpecs:
«ctiizen» -> «citiizen» in event Stake NatSpec
«configued» -> «configured» in getConfiguredVaultMultiplier NatSpec
«entireity» -> «entirety» in Line 1373 of NeoTokyoStaker contract
«funciton» -> «function» in configureIdentityCreditPoints NatSpec
#0 - c4-judge
2023-03-17T03:16:16Z
hansfriese marked the issue as grade-b