Platform: Code4rena
Start Date: 12/07/2022
Pot Size: $35,000 USDC
Total HM: 13
Participants: 78
Period: 3 days
Judge: 0xean
Total Solo HM: 6
Id: 135
League: ETH
Rank: 25/78
Findings: 2
Award: $130.39
๐ Selected for report: 0
๐ Solo Findings: 0
๐ Selected for report: joestakey
Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 8olidity, Avci, Bahurum, Bnke0x0, Chom, ElKu, Funen, GimelSec, JC, Junnon, Kaiziron, Meera, PaludoX0, Picodes, ReyAdmirado, Sm4rty, Soosh, Waze, _Adam, __141345__, ak1, aysha, benbaessler, bin2chen, c3phas, cccz, cryptphi, csanuragjain, defsec, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, itsmeSTYJ, jonatascm, kyteg, mektigboy, oyc_109, pashov, rbserver, rishabh, robee, rokinot, sach1r0, sashik_eth, scaraven, simon135, slywaters
104.5616 USDC - $104.56
[1] Multiple address mappings can be combined into a single mapping of an address to a struct, where appropriate
[2] Add zero-address checks in constructors and setter functions
Consider adding something like require(newAddr != address(0));.
Swivel.sol#L68 Swivel.sol#L428
[3] Avoid using ecrecover
Best practice is using OpenZeppelin's ECDSA.recover instead as it solves some minor problem that exist within ecrecover.
[4] Natspec is incomplete
Add @notice
Sig.sol#L20 Sig.sol#L38 Sig.sol#L48
Add @return
Creator.sol#L30 VaultTracker.sol#L113
[5] Contracts have missing License Identifiers
Add license to SPDX-License-Identifier.
[6] Use a more recent version of Solidity
Use a Solidity version of at least 0.8.13 to get the ability to use using for with a list of free functions.
#0 - robrobbins
2022-08-31T00:27:57Z
license and compiler issues addressed via other tickets
๐ Selected for report: joestakey
Also found by: 0x040, 0x1f8b, 0xDjango, 0xNazgul, 0xsam, Avci, Aymen0909, Bnke0x0, CRYP70, ElKu, Fitraldys, Funen, JC, Kaiziron, MadWookie, Meera, ReyAdmirado, Sm4rty, Soosh, TomJ, Waze, _Adam, __141345__, ajtra, benbaessler, c3phas, csanuragjain, durianSausage, exd0tpy, fatherOfBlocks, hake, ignacio, karanctf, kyteg, m_Rassska, oyc_109, rbserver, robee, rokinot, samruna, sashik_eth, simon135, slywaters
25.8265 USDC - $25.83
[1] State variables only set in the constructor should be declared immutable
[2] Using private rather than public for constants, saves gas
If needed, the value can be read from the verified contract source code.
Swivel.sol#L25 Swivel.sol#L26 Swivel.sol#L27 Swivel.sol#L35
[3] Usage of uints / ints smaller than 32 bytes (256 bits) incurs overhead
When using elements that are smaller than 32 bytes, your contractโs gas usage may be higher. This is because the EVM operates on 32 bytes at a time. Therefore, if the element is smaller than that, the EVM must use more operations in order to reduce the size of the element from 32 bytes to the desired size. https://docs.soliditylang.org/en/v0.8.11/internals/layout_in_storage.html Use a larger size then downcast where needed.
Swivel.sol#L35 Swivel.sol#L37 Swivel.sol#L15 Hash.sol#L16 Marketplace.sol#L12 Marketplace.sol#L21 Marketplace.sol#L22 ZcToken.sol#L17