Platform: Code4rena
Start Date: 03/05/2023
Pot Size: $60,500 USDC
Total HM: 25
Participants: 114
Period: 8 days
Judge: Picodes
Total Solo HM: 6
Id: 234
League: ETH
Rank: 93/114
Findings: 1
Award: $36.24
๐ Selected for report: 0
๐ Solo Findings: 0
๐ Selected for report: rbserver
Also found by: 0xnev, ABAIKUNANBAEV, Audit_Avengers, Aymen0909, BGSecurity, BRONZEDISC, Bason, DadeKuma, GG_Security, Jerry0x, Jorgect, MohammedRizwan, REACH, Sathish9098, Shogoki, T1MOH, UniversalCrypto, aviggiano, ayden, berlin-101, bytes032, codeslide, descharre, fatherOfBlocks, hals, kaveyjoe, kodyvim, lfzkoala, lukris02, nadin, naman1778, patitonar, pontifex, sakshamguruji, squeaky_cactus, teawaterwire, wonjun, yjrwkk
36.2377 USDC - $36.24
In StandardFunding.solยดs _findProposalIndex (L763-779) and _findProposalIndexOfVotesCast (L789-806) there are conversions from uint256 to int256 which are not checked for there range. Also, a comment states it can be safely assumed to not overflow. This is not the case as the ranges of uint256 (0 to 2 **256 - 1) and int256 (-2 ** 255 to 2 ** 255 - 1) are not completely overlapping.
If the value to cast to int256 is higher or equal than 2 ** 255 it will revert because of a possible overflow.
manual inspection of the code
Check for the range of the value to be casted to another type or use SafeCast. In the specific case the casting might not be necessary at all, as the return type does not have to be int256 probably (negative value is only used for not found case, which could be solved differently).
In Positionsmanager.sol:54-55 a comment (obviously copy pasted) states that the following mapping was for token Ids to Ajna Pool addresses, however the mapping is uint => mapping(uint => Position) and named positions.
The wrong comment is misleading for other devs and also for the same dev in future. Also, the real intention of the mapping is not stated in the code comments, and has to be inferred from the usage.
manual inspection of the code
Fix comment to state intented usage of the mapping.
In Positionsmanager.sol:62 nextId is defined as uint176. However in the rest of the contract the tokenId is always a uint256.
as nextId is used the assign and increment the new tokenIds this inconsistency causes a lot of unnecessary type castings. Also, the lower range of uint176 can possible cause a overflow and therefore a revert of the minting of a new token.
This might be wanted behaviour to control the maximum supply, however if this is the case it should be solved differently.
manual inspection of the code
Use uint256 for nextId to prevent unnecessry type castings. if the supply should be limited it should be checked with a MAX_SUPPLY variable inside the minting function and reverted with a meaningful message.
In Funding.sol:115 all the inputs of the targets array are checked to be the address of the AjnaToken. As this is always the case, the parameter does not have to be a user input and can be hardcoded into the Contract.
The unnecessary check increases complexity and the probability of the transaction to revert. Also, it consumes more gas as needed.
manual inspection of the code
hardcode the targets to always be the ajnaToken, as this is intended anyhow.
#0 - c4-judge
2023-05-18T19:00:20Z
Picodes marked the issue as grade-b