Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 117/125
Findings: 1
Award: $4.23
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RED-LOTUS-REACH
Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie
4.2289 USDC - $4.23
ERROR-PRONE TYPECASTING
GaugeController.sol#L222-L222
uint256 slope = uint256(uint128(slope_));
The variable/value slope_ is found to be typecasted more than once which is not standard, making the contract’s logic more complex, and error-prone.
Manual Report
It is recommended to go through the code logic to make sure the typecasting is working as expected and the resultant values are whole.
LONG NUMBER LITERALS
VotingEscrow.sol#L37-L37
Point[1000000000000000000] public pointHistory;
VotingEscrow.sol#L38-L38
mapping(address => Point[1000000000]) public userPointHistory;
Solidity supports multiple rational and integer literals, including decimal fractions and scientific notations. The use of very large numbers with too many digits was detected in the code that could have been optimized using a different notation also supported by Solidity.
Manual Report
Scientific notation in the form of 2e10 is also supported, where the mantissa can be fractional but the exponent has to be an integer. The literal MeE is equivalent to M * 10**E. Examples include 2e10, 2e10, 2e-10, 2.5e1, as suggested in official solidity documentation https://docs.soliditylang.org/en/latest/types.html#rational-and-integer-literals
USE OF FLOATING PRAGMA
LendingLedger.sol#L2-L2
pragma solidity ^0.8.16;
GaugeController.sol#L2-L2
pragma solidity ^0.8.16;
VotingEscrow.sol#L2-L2
pragma solidity ^0.8.16;
Solidity source files indicate the versions of the compiler they can be compiled with using a pragma directive at the top of the solidity file. This can either be a floating pragma or a specific compiler version.
The contract was found to be using a floating pragma which is not considered safe as it can be compiled with all the versions described.
The following affected files were found to be using floating pragma:
/src/LendingLedger.sol - ^0.8.16
/src/GaugeController.sol - ^0.8.16
/src/VotingEscrow.sol - ^0.8.16
Manual Report
It is recommended to use a fixed pragma version, as future compiler versions may handle certain language constructions in a way the developer did not foresee.
Using a floating pragma may introduce several vulnerabilities if compiled with an older version.
The developers should always use the exact Solidity compiler version when designing their contracts as it may break the changes in the future.
Instead of ^0.8.16 use pragma solidity 0.8.18, which is a stable and recommended version right now.
OUTDATED COMPILER VERSION
LendingLedger.sol#L2-L2
pragma solidity ^0.8.16;
GaugeController.sol#L2-L2
pragma solidity ^0.8.16;
VotingEscrow.sol#L2-L2
pragma solidity ^0.8.16;
Using an outdated compiler version can be problematic especially if there are publicly disclosed bugs and issues that affect the current compiler version.
The following outdated versions were detected:
/src/LendingLedger.sol - ^0.8.16
/src/GaugeController.sol - ^0.8.16
/src/VotingEscrow.sol - ^0.8.16
Manual Report
It is recommended to use a recent version of the Solidity compiler that should not be the most recent version, and it should not be an outdated version as well. Using very old versions of Solidity prevents the benefits of bug fixes and newer security checks. Consider using the solidity version 0.8.18, which patches most solidity vulnerabilities.
UNUSED RECEIVE FALLBACK
LendingLedger.sol#L209-L209
receive() external payable {}
The contract was found to be defining an empty receive function.
It is not recommended to leave them empty unless there’s a specific use case such as to receive Ether via an empty receive() function.
Slither Report
It is recommended to go through the code to make sure these functions are properly implemented and are not missing any validations in the definition.
#0 - c4-judge
2023-08-22T14:25:06Z
alcueca marked the issue as grade-b