Platform: Code4rena
Start Date: 29/06/2022
Pot Size: $50,000 USDC
Total HM: 20
Participants: 133
Period: 5 days
Judge: hickuphh3
Total Solo HM: 1
Id: 142
League: ETH
Rank: 96/133
Findings: 1
Award: $47.13
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: xiaoming90
Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xSolus, 0xf15ers, 0xsanson, AmitN, Bnke0x0, BowTiedWardens, Chom, David_, ElKu, Funen, GalloDaSballo, GimelSec, Hawkeye, IllIllI, JC, JohnSmith, Kaiziron, Kenshin, Lambda, Limbooo, MadWookie, Metatron, MiloTruck, Nethermind, Picodes, ReyAdmirado, Sneakyninja0129, StErMi, TomJ, Treasure-Seeker, TrungOre, Waze, Yiko, _Adam, __141345__, antonttc, async, aysha, catchup, cccz, cryptphi, csanuragjain, danb, datapunk, defsec, delfin454000, dirk_y, doddle0x, durianSausage, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hubble, itsmeSTYJ, joestakey, oyc_109, pedroais, peritoflores, rajatbeladiya, reassor, robee, rokinot, samruna, saneryee, sashik_eth, shenwilly, shung, simon135, sseefried, unforgiven, zer0dot, zzzitron
47.1311 USDC - $47.13
[N-01] PUBLIC FUNCTIONS NOT CALLED BY THE CONTRACT SHOULD BE DECLARED EXTERNAL INSTEAD
6 instances of the issue
File: PuttyV2.sol 389: function exercise(Order memory order, uint256[] calldata floorAssetTokenIds) public payable {
File: PuttyV2.sol 466: function withdraw(Order memory order) public {
File: PuttyV2.sol 546: function batchFillOrder( Order[] memory orders, bytes[] calldata signatures, uint256[][] memory floorAssetTokenIds ) public returns (uint256[] memory positionIds) {
File: PuttyV2.sol 573: function acceptCounterOffer( Order memory order, bytes calldata signature, Order memory originalOrder ) public payable returns (uint256 positionId) {
File: PuttyV2.sol 753: function domainSeparatorV4() public view returns (bytes32) {
File: PuttyV2.sol 764: function tokenURI(uint256 id) public view override returns (string memory) {
[N-02] CONSTANTS SHOULD BE DEFINED
5 instances of the issue
File: PuttyV2.sol 241: require(_fee < 30, "fee must be less than 3%");
File: PuttyV2.sol 287: require(order.duration < 10_000 days, "Duration too long");
File: PuttyV2.sol 413: transferFrom(msg.sender, address(0xdead), uint256(orderHash));
File: PuttyV2.sol 488: transferFrom(msg.sender, address(0xdead), uint256(orderHash));
File: PuttyV2.sol 499: feeAmount = (order.strike * fee) / 1000;
[N-03] MISSING EVENT FOR ORDER CHANGE
I would consider beneficial to have an event when an order is countered and a new created, vs the standard flow cancel and create. This will make any traceability clear. Function acceptCounterOffer() doesn't emit any event.
File: PuttyV2.sol 573: function acceptCounterOffer( Order memory order, bytes calldata signature, Order memory originalOrder ) public payable returns (uint256 positionId) {
[N-04] INCONSISTENT USER of bytes32 vs uint256
3 mappings track the state of the orders. cancelledOrders is using bytes32 while positionExpirations and exercisedPositions are using uint256 as key.