Platform: Code4rena
Start Date: 11/08/2022
Pot Size: $40,000 USDC
Total HM: 8
Participants: 108
Period: 4 days
Judge: hickuphh3
Total Solo HM: 2
Id: 152
League: ETH
Rank: 59/108
Findings: 2
Award: $61.80
馃専 Selected for report: 0
馃殌 Solo Findings: 0
馃専 Selected for report: Saw-mon_and_Natalie
Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 0xSolus, 0xackermann, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, Chom, Deivitto, DevABDee, Dravee, ElKu, IllIllI, JC, Kumpa, Lambda, LeoS, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Treasure-Seeker, Vexjon, Waze, Yiko, __141345__, apostle0x01, auditor0517, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carlitox477, cccz, cryptphi, csanuragjain, d3e4, danb, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, iamwhitelights, joestakey, jonatascm, ladboy233, mics, oyc_109, rbserver, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, simon135, thank_you, wagmi, yash90, zeesaw, zkhorse
41.1993 USDC - $41.20
Using a timelock in the following type of functions is common among defi protocols.
Example: FixedPriceDrop.sol#L27
The following functions are payable but doesn't record the sender transaction. Consider making them not payable instead.
At the following functions you should verify the parameters that are being assigned to a state variable.
The following functions allows attackers to try reentrancy since they are calling to external contracts / transferring eth. Consider adding a nonReentrancy modifier.
Floating pragma is a bad practice, since it does not guaranty the same version at future deployments.
If for any reason the following unused parameters are necessary then remove their naming (since only the type matters for function signature)
#0 - HardlyDifficult
2022-08-18T20:04:12Z
[LOW] Add timelock for the following functions
Fair point and something we'll consider in the future.
[LOW] Payable functions that should not be payable
Invalid. These are payable by design and require it.
[LOW] Not verified input
Invalid. All those examples confirm .isContract - it's not clear what else you are suggesting here.
[LOW] Missing nonReentrancy modifier
Without a POC on a potential risk, we don't believe that a reentrancy guard is required here.
[LOW] The project is compiled with different solidity versions
Invalid, all contracts are compiled with 0.8.16
Use fixed pragma
Disagree. We intentionally use a floating pragma in order to make integrating with contracts easier. Other contract developers are looking to interact with our contracts and they may be on a different version than we use. The pragma selected for our contracts is the minimum required in order to correctly compile and function. This way integration is easier if they lag a few versions behind, or if they use the latest but we don't bump our packages frequently enough, and when we do upgrade versions unless there was a breaking solidity change -- it should just swap in by incrementing our npm package version.
[NON CRITICAL] Consider emitting an event at the following functions
I don't believe events are required for these constructors.
[NON CRITICAL] Missing function spec comments
invalid. FETH & PercentSplitETH were out of scope. The other example has a full natspec included already.
[NON CRITICAL] The following events are not indexed
I believe this is invalid. index should be reserved for params that are likely to be requested as a filter. In these examples those params are data not really filter candidates. And for the string specifically, indexed would prevent the full information from being communicated, requiring a second unindexed version which is a bit redundant and increases gas costs.
[NON CRITICAL] Unused function parameters should have name removed
Invalid - these params are required here due to the inheritance used.
馃専 Selected for report: Dravee
Also found by: 0x040, 0x1f8b, 0xDjango, 0xHarry, 0xNazgul, 0xSmartContract, 0xbepresent, 0xkatana, Amithuddar, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, DevABDee, Diraco, ElKu, Fitraldys, Funen, IllIllI, JC, LeoS, Metatron, MiloTruck, Noah3o6, ReyAdmirado, Rohan16, Rolezn, Saw-mon_and_Natalie, Sm4rty, SpaceCake, TomJ, Tomio, Trabajo_de_mates, Waze, Yiko, __141345__, ajtra, apostle0x01, bobirichman, brgltd, bulej93, c3phas, cRat1st0s, carlitox477, d3e4, durianSausage, erictee, fatherOfBlocks, gerdusx, gogo, hakerbaya, ignacio, jag, joestakey, ladboy233, medikko, mics, newfork01, oyc_109, pfapostol, robee, rvierdiiev, sach1r0, saian, samruna, sikorico, simon135, wagmi, zeesaw, zkhorse, zuhaibmohd
20.6049 USDC - $20.60
In order to save gas you can put a payable modifier for functions that are called by protocol owners.
You can cache the array size to improve gas usage in the following locations
Example: NFTDropCollection.sol#L130
#0 - HardlyDifficult
2022-08-17T19:01:11Z
[GAS] Do not cache msg.sender since loading msg.sender is more efficient than a local variable
Invalid. None of those links are using msg.sender.
[GAS] In the following revert statements consider using custom error instead a message
Agree but won't fix at this time. We use these in the market but not in collections. Unfortunately custom errors are still not as good of an experience for users (e.g. on etherscan). We used them in the market originally because we were nearing the max contract size limit and this was a good way to reduce the bytecode. We'll consider this in the future as tooling continues to improve.
[GAS] Mark as payable If has onlyOwner modifier
Disagree. This could save gas but 1) this seems like a poor practice to encourage and could be error prone. and 2) we don't care about optimizing admin-only actions.
[GAS] Cache array size
May be theoretically valid, but won't fix. I tested this: gas-reporter and our gas-stories suite is reporting a small regression using this technique. It also hurts readability a bit so we wouldn't want to include it unless it was a clear win.
[GAS] Use assembly opcodes iszero in the following locations
Won't fix. While this may save a tiny bit of gas, we reserve the use of assembly to areas where it would provide significant benefit or accomplish something that's otherwise not possible with Solidity alone.
[GAS] Use abiEncodePacked()
Invalid... while it seems like this should help, changing to .encode makes creating collections slightly more expensive. createNFTCollection increased by 9 gas and createNFTDropCollection increased by 8-10 gas
[GAS] Use > instead != to compare uint with 0
Invalid. We tested the recommendation and got the following results:
createNFTDropCollection gas reporter results: using > 0 (current): - 319246 路 319578 路 319361 using != 0 (recommendation): - 319252 路 319584 路 319367 impact: +6 gas