Platform: Code4rena
Start Date: 26/05/2023
Pot Size: $100,000 USDC
Total HM: 0
Participants: 33
Period: 14 days
Judge: leastwood
Id: 241
League: ETH
Rank: 16/33
Findings: 1
Award: $813.40
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rbserver
Also found by: 0x73696d616f, 0xTheC0der, 0xdeadbeef, 0xhacksmithh, Bauchibred, GalloDaSballo, KKat7531, Madalad, MohammedRizwan, Rolezn, SAAJ, SanketKogekar, Sathish9098, VictoryGod, brgltd, btk, codeslide, descharre, hunter_w3b, jauvany, kaveyjoe, ladboy233, nadin, niser93, shealtielanz, souilos, trysam2003, yongskiws
813.4016 USDC - $813.40
The code size (extcodesize) of any contract is 0 under creation and hasn't been deployed. Functions with OnlyEOA modifier can be called through a smart contract by using constructor (), as during creation time extcodesize of any contract is Zero.
Link to the code:
Important parameter or configuration changes should trigger an event to allow being tracked off-chain.
Link to the code:
Consider using a modifier to implement access control instead of inlining the condition/requirement in the function’s body.
Link to the code:
Different Solidity compiler versions are used for the contracts used in project that may lead to (un)known bugs or errors. It is recommended to used consistency in versions to avoid any unforeseen issues.
Link to the code:
It is a good practice to give time for users to react and adjust to critical changes. A timelock provides more guarantees and reduces the level of trust required, thus decreasing risk for users. It also indicates that the project is legitimate (less risk of a malicious owner making a sandwich attack on a user).
Link to the code:
Link to the code:
Upgradeable contracts are initialized via an initializer function rather than by a constructor. Leaving such a contract uninitialized may lead to it being taken over by a malicious user Link to the code:
Ownable2StepUpgradeable prevent the contract ownership from mistakenly being transferred to an address that cannot handle it (e.g. due to a typo in the address), by requiring that the recipient of the owner permissions actively accept via a contract call of its own.
Link to the code:
OpenZeppelin recommends that the initializer modifier be applied to constructors in order to avoid potential griefs, social engineering, or exploits. Ensure that the modifier is applied to the implementation contract. If the default constructor is currently being used, it should be changed to be an explicit one with the modifier applied.
Link to the code:
Link to the code:
Zero-address check should be used in the constructor, to avoid the risk of setting a storage variable as address(0) at deploying time.
Link to the code:
Avoid using code blocks or use them some process like emitting events.
Link to the code:
Locking pragma version ensures contracts are not being deployed on an outdated compiler version.
Link to the code:
All Contracts Order of functions should help readers identify which functions they can call and to find the constructor and fallback definitions easier.
Functions should be grouped according to their visibility and ordered as mentioned in the article i.e.; constructor external public internal private within a grouping, place the view and pure functions last
#0 - c4-judge
2023-06-16T14:55:47Z
0xleastwood marked the issue as grade-b