Platform: Code4rena
Start Date: 11/11/2022
Pot Size: $36,500 USDC
Total HM: 5
Participants: 62
Period: 3 days
Judge: berndartmueller
Id: 181
League: ETH
Rank: 30/62
Findings: 2
Award: $109.36
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rotcivegaf
Also found by: 0x4non, 0xDecorativePineapple, 9svR6w, Trust, V_B, adriro, ajtra, aviggiano, brgltd, carlitox477, chaduke, codexploder, corerouter, joestakey, ladboy233, s3cunda, saian, wait
66.8068 USDC - $66.81
Judge has assessed an item in Issue #164 as M risk. The relevant finding follows:
[01] Lack of check if dust ether transfer is successful
#0 - c4-judge
2022-11-17T12:22:44Z
berndartmueller marked the issue as duplicate of #90
#1 - c4-judge
2022-11-17T12:22:55Z
berndartmueller marked the issue as satisfactory
#2 - berndartmueller
2022-11-17T12:24:03Z
Applying partial credit (50%) due to missing a detailed impact description.
#3 - c4-judge
2022-11-17T12:24:08Z
berndartmueller marked the issue as partial-50
🌟 Selected for report: 0xSmartContract
Also found by: 0x4non, 0xNazgul, 0xhacksmithh, Aymen0909, HE1M, IllIllI, Josiah, RaymondFam, Rolezn, Tricko, brgltd, c3phas, chrisdior4, joestakey, ladboy233, martin, neko_nyaa, rotcivegaf, tnevler, trustindistrust
42.5508 USDC - $42.55
The assembly low level call does not check if the transfer is successful. This can result in silent failures.
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L212-L227
Consider checking the returned value. E.g. if iszero(callStatus) { revert(0, 0) }.
Consider adding a __gap[] storage variable to allow for new storage variables in later versions. Example.
See this link for a description of this storage variable issue. Adding the variable now protects against forgetting to add it in the future.
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L30
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Pool.sol#L13
If the oracle variable gets configured with address zero, failure to immediately reset the value can result in unexpected behavior for the project.
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L115
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L130
Lack of two-step procedure for critical operations leaves them error-prone. Consider adding two step procedure on the critical functions.
Consider adding a two-steps pattern on critical changes to avoid mistakenly transferring ownership of roles or critial functionalities to the wrong address.
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L323
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L332
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L341
Following instance is camel case
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L186
Following instance is snake case
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L188
Consider using only one convention throughout the codebase.
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L282
Todos should be resolved to improve code quality maturity.
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Pool.sol#L18
Consider using only one approach. E.g. only returning manual valuse or only using the return named variables feature
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L537-L555
Consider adding natspec on all function to improve documentation.
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L212
The solidity documentation recommends the following order for functions:
constructor receive function (if exists) fallback function (if exists) external public internal private
The instance bellow shows private above public.
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L212
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L234
The solidity documentation recommends a maximum of 120 characters.
Consider adding a limit of 120 characters or less to prevent large lines.
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L546
_oracle to be the same as the existing oracleConsider checking if the new oracle is not the same as the existing oracle, e.g. require(_oracle != oracle, ""). This will prevent triggering unnecessary events.
Optimizations are being actively developed and are not considered safe. Check the following audit recommending agaist deployments with the optimizer enabled (item 3 in the audit document).
If possible, consider measuring and documenting the tradeoffs when enabling the optimizer.
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Pool.sol#L79
Following instance is using uint
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L116
Following instance is using uint256
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L350
Consider using only on approach for declaring 256 bits unsigned interges.
#0 - c4-judge
2022-11-17T12:22:33Z
berndartmueller marked the issue as grade-b