Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 96
Period: 3 days
Judge: HardlyDifficult
Total Solo HM: 5
Id: 140
League: ETH
Rank: 66/96
Findings: 1
Award: $30.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xkatana, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, JC, JMukesh, JohnSmith, Lambda, Limbooo, MadWookie, MiloTruck, Nethermind, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RoiEvenHaim, SmartSek, StErMi, Tadashi, TerrierLover, TomJ, Tomio, Treasure-Seeker, UnusualTurtle, Varun_Verma, Wayne, Waze, _Adam, apostle0x01, asutorufos, berndartmueller, c3phas, catchup, cccz, cloudjunky, codexploder, cryptphi, defsec, delfin454000, dipp, ellahi, exd0tpy, fatherOfBlocks, hansfriese, hyh, joestakey, kebabsec, kenta, masterchief, minhquanym, naps62, oyc_109, pashov, peritoflores, reassor, rfa, robee, sach1r0, saian, sashik_eth, shenwilly, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, ych18, zuhaibmohd, zzzitron
30.8916 USDC - $30.89
A fixed Solidity pragma of 0.8.10 is used throughout the project but there are examples where different versions and floating pragma are used. For example;
All contracts should use the same fixed Solidity version (i.e. not floating) across the code based. Floating pragma is noted as a smart contract weakness in SWC-103.
.transfer() and the return value is not checkedThe withdrawETH() Basket.sol uses the transfer() function with can cause a number of issues in in production use. For example;
This can lead to the locking of funds as;
.call() allows gas to be set at a higher value than the default for .transfer() which is 2300 unites.The .transfer() method should be changed to use .call(). For example, withdrawETH() in Basket.sol` should be changed from this;
function withdrawETH(address payable _to) external override { require(_isApprovedOrOwner(msg.sender, 0), "withdraw:not allowed"); _to.transfer(address(this).balance); emit WithdrawETH(_to); }
To this;
function withdrawETH(address payable _to) external override { require(_isApprovedOrOwner(msg.sender, 0), "withdraw:not allowed"); (bool success, ) = payable(_to).call{value: address(this).balance}(""); require(success, "Basket: ETH transfer failed"); emit WithdrawETH(_to); }
Note in the example above that a boolean success value is initialised by the .call{} and is checked to ensure that the transfer has been successful or reverts.
There's missing natspec documentation on a number of functions and important fields like @param and @return are sometimes missing. For example;
_sellPrimaryCurve()inNibblVault.sol has documentation for @param _amount but not _totalSupply._sellSecondaryCurve() in NibblVault.sol has documentation for @param _amount but not _totalSupply.withdrawERC721() , withdrawERC721Unsafe() and withdrawERC1155() in Basket.sol have documentation for @param _token and _tokenId but not _to.Proper natspec documentation with @param and @return populated would significantly improve the readability of the code base and ensure reviewers aren't guessing as to the intent of arguments to functions. A good standard is to full document all public and external functions with @param and @return so that users of the contract can understand the functionality better.
#0 - HardlyDifficult
2022-07-02T22:33:03Z
#1 - HardlyDifficult
2022-07-04T15:38:28Z
Good suggestions - couple low risk, couple NC.