Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 73/125
Findings: 1
Award: $9.82
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RED-LOTUS-REACH
Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie
9.8204 USDC - $9.82
/interfaces/Turnstile.sol Above interface file in interfaces is defined but never used in any of the contracts that are in scope. Audit scope does only excludes test files from audit scope.
Impact-> it affects the code interpretability, maintainability, auditability or it may signify missing logic
Recommendation -> It is recommended to remove the interface folder if not needed or ensure all logic has been captured for the contracts in case it is needed.
function _delegate(address addr,LockedBalance memory _locked, int128 value, LockAction action) internal // VotingEscrow.sol line 390 All other function arguments in VotingEscrow.sol use _ but for function above arguments address addr, int128 value, LockAction action are not like LockedBalance memory _locked which takes underscore, this is inconsistent within the function and across the file and other contracts. Contracts LendingLedger.so and GaugeController.sol also use preceding _ underscore for all function arguments.
Impact-> it affects the code interpretability, maintainability, readability and consistency
Recommendation -> It is recommended to apply consistent usage of underscore _ to all function arguments
The instances that can be improved in the current code are as follows
(bool success, ) = msg.sender.call{value: amountToSend}(""); //VotingEscrow.sol line 346 (bool success, ) = msg.sender.call{value: cantoToSend}(""); // LendingLedger.sol line 179
Impacts - affects readability and semantic understanding. Above also does not explicitly describe operation
Recommendation -> to improve readability, semantic understanding and explicitness that better captures operation description( due to naming convention) use OpenZeppelin's SafeTransferLib.safeTransferETH() or Address.sendValue(). Usage over lower-level calls enhances the maintainability of code by clearly indicating the purpose of the function.
// State - GaugeController.sol line 23- line 53
modifier onlyGovernance() { require(msg.sender == governance); _; }
Under the comment for state we get state variables or state related items like Structs. However we also have a modifier without comment its a modifiers so makes it appear as if its under state items
// Send back deposited tokens - VotingEscrow.sol line 345
(bool success, ) = msg.sender.call{value: amountToSend}("");
Above makes it appear as if a token is being sent when its "native token" or coin as this is CANTO being send, readers may think or expect some other token
#0 - c4-judge
2023-08-22T14:07:51Z
alcueca marked the issue as grade-a