Platform: Code4rena
Start Date: 07/06/2022
Pot Size: $75,000 USDC
Total HM: 11
Participants: 77
Period: 7 days
Judge: gzeon
Total Solo HM: 7
Id: 124
League: ETH
Rank: 53/77
Findings: 1
Award: $89.19
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: berndartmueller
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Bronicle, Chom, Cityscape, Deivitto, Funen, GimelSec, GreyArt, IllIllI, JC, Lambda, Meera, Nethermind, Picodes, PierrickGT, Ruhum, Sm4rty, Tadashi, TerrierLover, TomJ, Trumpero, Waze, _Adam, antonttc, ayeslick, c3phas, catchup, cccz, cloudjunky, cryptphi, csanuragjain, delfin454000, dipp, ellahi, fatherOfBlocks, hake, hansfriese, hyh, joestakey, jonah1005, kenzo, minhquanym, oyc_109, sach1r0, saian, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, z3s, zzzitron
89.1872 USDC - $89.19
There are multiple different pragma versions across the contracts in notional-wrapped-fcash/contracts. Namely;
^0.8.0 in contracts/lib/Constants.sol, contracts/lib/DateTime.sol, contracts/lib/Types.sol and interfaces/IERC4626.sol^0.8.11 in interfaces/notional/INotionalV2.sol0.8.11 in contracts/lib/EncodeDecode.sol, contracts/wfCashBase.sol and contracts/wfCashLogic.sol.=0.8.11 in interfaces/WETH9.solThis is a weakness identified in SWC-103 e.g. "Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly."
Lock pragmas to a specified compiler version e.g. pragma solidity 0.8.11 on all contracts unless they are intended to be consumed by other developers.
There are a series of require statements that have no message so it's difficult to understand the reason why it might revert. Often there's also no natspec comments to explain the enclosing function;
Examples;
Ensure that each require statement has a clear message for why it failed. This is especially true for _safeUint88 in wfCashLogic which might revert for large values of fCash (e.g. 309485009821345068724781056).
There's missing natspec documentation on most functions and important fields like @param and @return are often missing. wfCashLogic.sol has the most detailed documentation however it is still incomplete in many areas. Some examples;
@param and onERC1155Received has no @param or @return documentation.Propert natspec documentation with @param and @return populated would significantly impreove the readability of the code base and ensure reviewers aren't guessing as to the intent of functions and variables.
There's mixed use of return and option returns across the wrapped fcash codebase. Examples;
Combined with the natspec issue above this dramatically effects code readability and the likelihood of bugs being introduced.
Documenting @return would really help if the style guide is to still optionally return. Either way a consistent approach would improve readability.
pragma experimental ABIEncoderV2; is referenced in a contract that has a solidity pragma > 0.8.0. ABIEncoderv2 is still valid but is deprecated in Solidity 0.8.0. See the solidity docs. A reference to ABIEncoderv2 was found in
contracts/wfCashLogic.sol.
Delete the reference to pragma experimental ABIEncoderv2 in contracts/wfCashLogic.sol or if there's still a requirement to be explicit change the reference to pragma abicoder v2; similar to contracts/lib/DateTime.sol.