Platform: Code4rena
Start Date: 11/01/2023
Pot Size: $60,500 USDC
Total HM: 6
Participants: 69
Period: 6 days
Judge: Trust
Total Solo HM: 2
Id: 204
League: ETH
Rank: 58/69
Findings: 1
Award: $36.24
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: CodingNameKiki
Also found by: 0x1f8b, 0x52, 0x5rings, 0xAgro, 0xSmartContract, 0xcm, 0xkato, 2997ms, Aymen0909, BClabs, BPZ, BRONZEDISC, Bauer, Bnke0x0, Deekshith99, IllIllI, Josiah, Kaysoft, RaymondFam, Rolezn, SaeedAlipoor01988, Tajobin, Udsen, Viktor_Cortess, adriro, arialblack14, betweenETHlines, btk, chaduke, chrisdior4, cryptphi, csanuragjain, cygaar, defsec, descharre, erictee, gzeon, hansfriese, horsefacts, joestakey, koxuan, lukris02, luxartvinsec, nicobevi, oyc_109, pavankv, peanuts, rbserver, scokaf, shark, tnevler, tsvetanovv, zaskoh
36.2377 USDC - $36.24
Files: All files.
Consider using named imports like below
import {CTokenCash} from "./CTokenCash.sol";
instead of
import "./CTokenCash.sol";
/** * @dev Internal function to future-proof parent linearization. Matches OZ * upgradeable suggestions */ function __KYCRegistryClientInitializable_init_unchained( address _kycRegistry, uint256 _kycRequirementGroup ) internal onlyInitializing { _setKYCRegistry(_kycRegistry); _setKYCRequirementGroup(_kycRequirementGroup); }
Files: All files Latest stable versions of Soildity compilers have bugfixes and security improvement.
see: https://swcregistry.io/docs/SWC-102
Consider using latest Solidity version.
Files: All files
See: https://swcregistry.io/docs/SWC-103
Consider using fixed pragma version like below
pragma solidity 0.8.17;
const config: HardhatUserConfig = { solidity: { compilers: [ { version: "0.8.16", settings: { optimizer: { enabled: true, runs: 100, }, }, },
Protocol has enabled optional compiler optimizations in Solidity. There have been several optimization bugs with security implications. Moreover, optimizations are actively being developed. Solidity compiler optimizations are disabled by default, and it is unclear how many contracts in the wild actually use them.
Therefore, it is unclear how well they are being tested and exercised. High-severity security issues due to optimization bugs have occurred in the past. A high-severity bug in the emscripten-generated solc-js compiler used by Truffle and Remix persisted until late 2018. The fix for this bug was not reported in the Solidity CHANGELOG.
Another high-severity optimization bug resulting in incorrect bit shift results was patched in Solidity 0.5.6. More recently, another bug due to the incorrect caching of keccak256 was reported. A compiler audit of Solidity from November 2018 concluded that the optional optimizations may not be safe. It is likely that there are latent bugs related to optimization and that new bugs will be introduced due to future optimizations.
Exploit Scenario A latent or future bug in Solidity compiler optimizations—or in the Emscripten transpilation to solc-js—causes a security vulnerability in the contracts.
Short term, measure the gas savings from optimizations and carefully weigh them against the possibility of an optimization-related bug.Long term, monitor the development and adoption of Solidity compiler optimizations to assess their maturity.
#0 - c4-judge
2023-01-23T14:26:07Z
trust1995 marked the issue as grade-b