Platform: Code4rena
Start Date: 11/05/2022
Pot Size: $150,000 USDC
Total HM: 23
Participants: 93
Period: 14 days
Judge: LSDan
Total Solo HM: 18
Id: 123
League: ETH
Rank: 71/93
Findings: 1
Award: $151.97
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 242, AlleyCat, BouSalman, BowTiedWardens, CertoraInc, Chom, Cityscape, FSchmoede, Funen, GimelSec, Hawkeye, JC, JDeryl, Kaiziron, Kthere, Kumpa, MaratCerby, MiloTruck, Nethermind, NoamYakov, PPrieditis, QuantumBrief, Rolezn, Ruhum, SmartSek, SooYa, Tadashi, TerrierLover, WatchPug, Waze, _Adam, asutorufos, berndartmueller, bobirichman, c3phas, catchup, cccz, ch13fd357r0y3r, cryptphi, csanuragjain, cthulhu_cult, defsec, delfin454000, ellahi, fatherOfBlocks, hansfriese, hubble, hyh, jayjonah8, joestakey, kenta, kenzo, kirk-baird, mics, oyc_109, p_crypt0, reassor, robee, sach1r0, samruna, sashik_eth, sikorico, simon135, sorrynotsorry, sseefried, tintin, unforgiven, z3s, zmj
151.9654 USDC - $151.97
"totalSupply() == 0" should not be used as a check for initialization and is a bad coding practise because totalSupply() can be be reduced by token burning
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L67 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L92
Use OZ library.
All constants should use the same naming convention and should be in capital letters
Change: Aura.sol constant name from "totalCliffs" to "TOTAL_CLIFFS" https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L29
AuraLocker.sol constant name from "newRewardRatio" to "NEW_REWARD_RATIO" https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L73 AuraLocker.sol constant name from "rewardsDuration" to "REWARDS_DURATION" https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L81 AuraLocker.sol constant name from "lockDuration" to "LOCK_DURATION" https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L83 AuraLocker.sol constant name from "denominator" to "DENOMINATOR" https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L107
AuraBalRewardPool.sol constant name from "duration" to "DURATION" https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L29
Constants are variables whose value is known before contract deployment. Immutable variables values are revealed only during contract deployment. Aura.sol immutable variable reductionPerCliff is calculated by using two other constants so it should be also a constant.
Change variable "reductionPerCliff":
Variables should have the correct value straight after contract deployment in order to reflect the proper state.
Change minterMinted from type(uint256).max to 0 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L33
And remove "minterMinted = 0" from init function https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L74
Aura token totalSupply() and EMISSIONS_MAX_SUPPLY are already public. minterMinted shows additional minted tokens who are not part of inflation period. minterMinted should be public in order to be consistent and transparent.
Change Aura.sol variable minterMinted from private to public https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L33
Admin section functions have a onlyOwner modifier however setApprovals() does not has a such modifier and is in admin function section.
Move function setApprovals() from ADMIN section to ACTIONS section. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L239-L242
Event should emit only valid data. Event Staked emits the same variable lockAmount twice L295. Event declaration L128 states that there should be two different parameters _paidAmount and _lockedAmount.
Most likely event declaration should not have a parameter _paidAmount. Please remove unnecessary parameter. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L295