Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $100,000 USDC
Total HM: 4
Participants: 109
Period: 7 days
Judge: GalloDaSballo
Id: 163
League: ETH
Rank: 67/109
Findings: 1
Award: $55.20
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xNazgul, 0xRobocop, 0xSmartContract, 0xdeadbeef, 0xsanson, 8olidity, Amithuddar, Aymen0909, B2, B353N, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, ElKu, Funen, JC, JohnnyTime, Kresh, Lambda, Noah3o6, RaymondFam, ReyAdmirado, RockingMiles, Rolezn, Sm4rty, SuldaanBeegsi, Tadashi, TomJ, Tomio, V_B, Waze, __141345__, a12jmx, ak1, arcoun, asutorufos, aviggiano, berndartmueller, bharg4v, bin2chen, brgltd, bulej93, c3phas, catchup, cccz, ch0bu, cryptonue, cryptphi, csanuragjain, delfin454000, devtooligan, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, ignacio, joestakey, ladboy233, lukris02, m9800, malinariy, martin, minhtrng, obront, oyc_109, pedr02b2, pedroais, pfapostol, philogy, prasantgupta52, rbserver, ronnyx2017, rotcivegaf, rvierdiiev, sach1r0, shung, simon135, throttle, tnevler, tonisives, wagmi, yixxas, zkhorse, zzykxx, zzzitron
55.1985 USDC - $55.20
#1 Missing zero check constructor
Checking addresses against zero-address during initialization in constructor is a security best-practice. However, such checks are missing in multiple constructors.
Allowing zero-addresses will lead to contract reverts and force redeployments if there are no setters for such address variables. So i suggest to Add zero-address checks in all the constructors.
#2 Missing zero address check user
To avoid zero address in user address. We suggest to add simple check zero address in the function.
#3 Use safemint()
_mint() is discouraged in favor of _safeMint() which ensures that the recipient is either an EOA. In OpenZeppelin have versions of this function so that NFTs aren’t lost if they’re minted to contracts that cannot transfer them back out. so i suggest to use safemint() instead min().
#4 Natspec incomplete
Natspec comment incomplete. I suggest to complete the natspec comment.
#5 use msg.sender instead Tx.origin
tx.origin is a global variable in Solidity which returns the address of the account that sent the transaction. Using the variable for authorization could make a contract vulnerable if an authorized account calls into a malicious contract. A call could be made to the vulnerable contract that passes the authorization check since tx.origin returns the original sender of the transaction which in this case is the authorized account. so we suggest tx.origin should not be used for authorization. Use msg.sender instead.
#6 Missing zero address check to
To avoid zero address in the function() to. We suggest to add simple check zero address in the mint function.
#7 Missing check amount >0 mint
add check requirement amount must be greater than zero to ensure theaccount have some amount
#8 Missing zero address check from
To avoid zero address in the function() from. We suggest to add simple check zero address in the burn function.
#9 Missing check amount >0 burn
add check requirement amount must be greater than zero to ensure theaccount have some amount
#0 - GalloDaSballo
2022-10-06T18:54:29Z
Missing zero check constructor L
Use safemint() L
Natspec incomplete NC
Rest is superflous.
Poorly formatted, will deduct 1 point
2L 1NC