Platform: Code4rena
Start Date: 27/10/2022
Pot Size: $33,500 USDC
Total HM: 8
Participants: 96
Period: 3 days
Judge: kirk-baird
Total Solo HM: 1
Id: 176
League: ETH
Rank: 58/96
Findings: 1
Award: $19.64
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: robee
Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas
19.6449 USDC - $19.64
Check for address(0x0) is missing for chestAddress:
chestAddress = _chestAddress;
// so it's override by the Pledge's endTimestamp
Change override to overridden
// Calculated the effective Pledge duration
Change Calculated to Calculate
// based on the Boost bias & the Boost duration, to take in account that the delegated amount decreases
Change in to into
* @param targetVotes Maximum taget of votes to have (own balacne + delegation) for the receiver
Change taget to target and balacne to balance
* @param maxTotalRewardAmount Maximum total reward amount allowed ot be pulled by this contract
Change ot to to
The same typo also occurs in the following lines:
// Add the total reards as available for the Pledge & write Pledge parameters in storage
Change reards to rewards
* @param pledgeId ID fo the Pledge
Change fo to for
The same typo also occurs in the following line:
* @param minRewardPerSecond Minmum amount of reward per vote per second for the token
Change Minmum to Minimum
The same typo also occurs in the following lines:
* @notice Updates the Platfrom fees BPS ratio
Change Platfrom to Platform
The same typo also occurs in the next line:
* @param token Address tof the EC2O token
Change tof to of
@noticeExplanation for event trigger is missing
/** @notice Event emitted when xx */
Similarly for the following lines:
/** * @dev Creates the contract, set the given base parameters * @param _votingEscrow address of the voting token to delegate * @param _delegationBoost address of the contract handling delegation * @param _minTargetVotes min amount of veToken to target in a Pledge */ constructor( address _votingEscrow, address _delegationBoost, address _chestAddress, uint256 _minTargetVotes ) {
Missing: @param _chestAddress
// Utils function safe64(uint256 n) internal pure returns (uint64) { if(n > type(uint64).max) revert Errors.NumberExceed64Bits(); return uint64(n); }
Missing @notice, @param n and @return
@notice and @dev statements/** * @notice Amount of Pledges listed in this contract * @dev Amount of Pledges listed in this contract * @return uint256: Amount of Pledges listed in this contract */ function pledgesIndex() public view returns(uint256){ return pledges.length; }
Recommendation: Remove @dev since it contains the same information as @notice.
Similarly for the other @dev and @notice pairs with identical information:
In some cases, the @dev statement contains additional information (i.e., appended to that in @notice):
/** * @notice Extends the Pledge duration * @dev Extends the Pledge duration & add rewards for that new duration * @param pledgeId ID of the Pledge * @param newEndTimestamp New end of the Pledge * @param maxTotalRewardAmount Maximum added total reward amount allowed ot be pulled by this contract * @param maxFeeAmount Maximum fee amount allowed ot be pulled by this contract */
Recommendation: Move the extra information in the @dev statement to the @notice, then remove the @dev, as follows:
/** * @notice Extends the Pledge duration & add rewards for that new duration * @param pledgeId ID of the Pledge * @param newEndTimestamp New end of the Pledge * @param maxTotalRewardAmount Maximum added total reward amount allowed to be pulled by this contract * @param maxFeeAmount Maximum fee amount allowed to be pulled by this contract */
Similarly for the other @dev and @notice pairs with analogous configuration:
indexed fieldsEach event should use three indexed fields if there are three or more fields. Below are events with missing indexed fields.
event NewPledge( address creator, address receiver, address rewardToken, uint256 targetVotes, uint256 rewardPerVote, uint256 endTimestamp );
Similarly for the following events:
Terms incorporating "black," "white," "slave" or "master" are potentially problematic. Substituting more neutral terminology is becoming common practice.
// Also used to whitelist the tokens for rewards
Suggestion: Change whitelist to allowlist
Similarly for other instances of whitelist and its variants
#0 - c4-judge
2022-11-12T01:00:41Z
kirk-baird marked the issue as grade-b