Platform: Code4rena
Start Date: 17/03/2023
Pot Size: $36,500 USDC
Total HM: 10
Participants: 98
Period: 3 days
Judge: leastwood
Total Solo HM: 5
Id: 223
League: ETH
Rank: 50/98
Findings: 2
Award: $34.80
π Selected for report: 0
π Solo Findings: 0
π Selected for report: Sathish9098
Also found by: 0xAgro, 0xSmartContract, 0xdaydream, 0xnev, Awesome, Aymen0909, BRONZEDISC, Bauchibred, Deathstore, Diana, IceBear, Jerry0x, Kresh, Matin, Rolezn, Stryder, T1MOH, Udsen, adriro, alejandrocovrr, atharvasama, codeslide, cryptonue, descharre, igingu, jack, joestakey, libratus, lukris02, luxartvinsec, nadin, nasri136, reassor, scokaf, shark, slvDev, tnevler
22.7749 USDC - $22.77
delete THE VARIABLE WHEN RESETTING IT, INSTEAD OF ASSIGNING THE VALUE TO ZEROnftID = 0;
It is recommended to use delete to reset the variable instead of assigning zero value to the variable.
delete nftID;
There is 1 more instances of this issue:
uint SIZE EXPLICITLY WHEN DECLARING uint VARIABLESThe uint variables are declared as both uint and uint256 in the Bio.sol contract.
It is recommended to declare all the uint variables with thier sizes explicitly for the improved code readability and understanding.
uint lengthInBytes = bioTextBytes.length;
The above can be declared as follows:
uint256 lengthInBytes = bioTextBytes.length;
So all the uint variables will be declared explicitly with thier respective sizes.
https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L47
There are 2 more instances of this issue:
https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L49 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L55
_tileOffset SHOULD BE EXPLICITLY CHECKED TO SEE IF THE VALUE IS BETWEEN 0 - TILES_PER_TRAY - 1.The tiles per tray is given the value of TILES_PER_TRAY = 7 in the Tray.sol contract.
In the getTile function of the Tray.sol contract the tiledata is returned as follows:
tileData = tiles[_trayId][_tileOffset];
Here the value of _tileOffset should be between 0 - TILES_PER_TRAY - 1. But it is not explicitly checked for that condition.
Hence the above command could try to access a TileData value which is out of bound. Which could result in unexpected code behaviour.
Hence it is recommended to check for the _tileOffset value to be with in the range of 0 - TILES_PER_TRAY - 1 as shown below:
require(_tileOffset <= (TILES_PER_TRAY - 1), "Requested Tile per tray has exceeded the bound");
Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
pragma solidity >=0.8.0;
There are 4 more instances of this issue:
https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L2 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Namespace.sol#L2 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Tray.sol#L2 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Utils.sol#L2
Can import the required specific contracts, functions or variables by using the named imports explicitly. Plain imports will import the entire context of the imported contract which could lead into variable name conflicts etc ...
Currently the Turnstile is imported as follows:
import "../interface/Turnstile.sol";
But it can be imported explicitly by the name as follows:
import {Turnstile} from "../interface/Turnstile.sol";
There are 4 more instances of this issue:
https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L7 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Namespace.sol#L7-L9 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Tray.sol#L10-L11 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Utils.sol#L4
#0 - c4-judge
2023-04-11T05:54:12Z
0xleastwood marked the issue as grade-b
π Selected for report: 0xSmartContract
Also found by: 0xdaydream, 0xnev, Aymen0909, Deekshith99, Diana, EvanW, Fanz, JCN, Jerry0x, K42, Kresh, Madalad, MiniGlome, Polaris_tow, Rageur, ReyAdmirado, Rolezn, SAAJ, SaeedAlipoor01988, Sathish9098, Shubham, Udsen, Viktor_Cortess, Walter, anodaram, arialblack14, atharvasama, caspersolangii, codeslide, descharre, fatherOfBlocks, felipe, ginlee, igingu, lukris02, nadin, slvDev, tnevler, turvy_fuzz, viking71
12.034 USDC - $12.03
numCharacters IN PLACE OF THE _characterList.length TO SAVE GAS, RATHER THAN CALLING IT REPETITIVELY.In the fuse() function of the Namespace.sol contract, the _characterList.length value is cached as below:
uint256 numCharacters = _characterList.length;
Hence the numCharacters can be used for the following _characterList.length calls. But the function again calls the _characterList.length as follows:
uint256[] memory uniqueTrays = new uint256[](_characterList.length);
Hence this can be replaced with the numCharacters variable as follows to save gas.
uint256[] memory uniqueTrays = new uint256[](numCharacters);
Hence gas can be saved since only memory read is required when cached value is used, instead of calculating the length of the calldata array again, which consumes more gas.
for LOOP TO SAVE GASConsider making the stack variables before the for loop which is will save gas.
for (uint256 i; i < numCharacters; ++i) { //@audit-issue - ++i can be unchecked. bool isLastTrayEntry = true; uint256 trayID = _characterList[i].trayID; uint8 tileOffset = _characterList[i].tileOffset;
There are 3 more instances of this issue:
https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Utils.sol#L148 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Utils.sol#L157 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Utils.sol#L166
Use a solidity version of at least 0.8.2 to get simple compiler automatic inlining
Use a solidity version of at least 0.8.3 to get better struct packing and cheaper multiple storage reads
Use a solidity version of at least 0.8.4 to get custom errors, which are cheaper at deployment than revert()/require() strings
Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value
pragma solidity >=0.8.0;
There are 4 more instances of this issue:
https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-bio-protocol/src/Bio.sol#L2 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Namespace.sol#L2 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Tray.sol#L2 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-namespace-protocol/src/Utils.sol#L2
#0 - c4-judge
2023-04-10T23:55:56Z
0xleastwood marked the issue as grade-b