Platform: Code4rena
Start Date: 04/11/2022
Pot Size: $42,500 USDC
Total HM: 9
Participants: 88
Period: 4 days
Judge: 0xean
Total Solo HM: 2
Id: 180
League: ETH
Rank: 49/88
Findings: 1
Award: $44.29
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0x1f8b
Also found by: 0xSmartContract, 0xc0ffEE, Aymen0909, B2, Deivitto, Josiah, KingNFT, Rahoz, RaymondFam, RedOneN, ReyAdmirado, Trust, ajtra, aviggiano, brgltd, c7e7eff, cryptonue, ctf_sec, delfin454000, djxploit, lukris02, peanuts, rvierdiiev, shark, simon135, slowmoses, tnevler, trustindistrust
44.2869 USDC - $44.29
Named return variable (here, tokensAvailable) is never used
function tokensAvailableForWithdrawal(uint256 auctionId, uint128 baseAmount) public view returns (uint128 tokensAvailable)
Event is missing indexed fieldsEach event should use three indexed fields if there are three or more fields
event AuctionCreated( uint256 auctionId, address seller, AuctionParameters params, Timings timings, bytes encryptedPrivKey );
Similarly for the following events:
@param statements/// @notice Reveals the private key of the seller /// @dev All valid bids are decrypted after this /// finalizeData should be empty if seller does not wish to finalize in this tx /// @param privateKey Private key corresponding to the auctions public key /// @param finalizeData Calldata that will be sent to finalize() function reveal(uint256 auctionId, uint256 privateKey, bytes calldata finalizeData) external
Missing: @param auctionId
/// @param baseToken The ERC20 to be sold by the seller /// @param quoteToken The ERC20 to be bid by the bidders /// @param reserveQuotePerBase Minimum price that bids will be filled at /// @param totalBaseAmount Max amount of `baseToken` to be auctioned /// @param minimumBidQuote Minimum quote amount a bid can buy /// @param pubKey On-chain storage of seller's ephemeral public key struct AuctionParameters { address baseToken; address quoteToken; uint256 reserveQuotePerBase; uint128 totalBaseAmount; uint128 minimumBidQuote; bytes32 merkleRoot; ECCMath.Point pubKey; }
Missing: @param merkleRoot
NatSpec is completely missing for the following function:
function computeCommitment(bytes32 message) public pure returns (bytes32) { return keccak256(abi.encode(message));
Similarly for the following public or external functions:
NatSpec is also completely missing for the following struct:
// Used to get around stack too deep errors -- even with viaIr struct FinalizeData { uint256 reserveQuotePerBase; uint128 totalBaseAmount; uint128 filledBase; uint256 previousQuotePerBase; uint256 previousIndex; }
Similarly for the following structs:
/// @notice Bid on a runnning auction
Change runnning to running
/// @notice Finalises an auction by revealing all bids
Change Finalises to Finalizes. Note that the American English version of this word ("finalize") and its variants are used throughout for vaiable names and most of the remainder of comments in the contest.
/// @dev Transfers `quoteToken` back to bidder and prevents bid from being finalised
Change finalised to finalized
// Prevent any futher access to this EncryptedBid
Change futher to futher
Comments that refer to open items should be addressed
/// @dev we hash the point because unsure if x,y is normal distribution (source needed)
Terms incorporating "black," "white," "slave" or "master" are potentially problematic. Substituting more neutral terminology is becoming common practice.
/// @param proof Merkle proof that checks seller against `merkleRoot` if there is a whitelist
Suggestion: Change whitelist to allowlist
#0 - c4-judge
2022-11-10T02:47:12Z
0xean marked the issue as grade-b