Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 198
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 164
League: ETH
Rank: 62/198
Findings: 2
Award: $46.35
π Selected for report: 0
π Solo Findings: 0
π Selected for report: AkshaySrivastav
Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xA5DF, 0xDecorativePineapple, 0xNazgul, 0xSky, 0xSmartContract, 0xbepresent, 0xf15ers, 0xmatt, 2997ms, Aeros, Aymen0909, B2, Bahurum, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, Diraco, Dravee, ElKu, Funen, IllIllI, JC, JLevick, JohnSmith, JohnnyTime, KIntern_NA, Lambda, Margaret, MasterCookie, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, SooYa, StevenL, TomJ, Tomo, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, async, ayeslick, aysha, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, cccz, ch13fd357r0y3r, chatch, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dic0de, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, gogo, got_targ, hansfriese, ignacio, ikbkln, indijanc, innertia, joestakey, karanctf, ladboy233, leosathya, lukris02, martin, medikko, millersplanet, nalus, natzuu, neko_nyaa, neumo, obront, oyc_109, pcarranzav, peanuts, pedr02b2, pedroais, peiw, peritoflores, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, rokinot, romand, rotcivegaf, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, sorrynotsorry, supernova, tibthecat, tnevler, ubermensch, yongskiws, zzykxx, zzzitron
37.2555 USDC - $37.26
During the audit, 1 low and 8 non-critical issues were found.
| β | Title | Risk Rating | Instance Count |
|---|---|---|---|
| L-1 | Large number of elements may cause out-of-gas error | Low | 1 |
| NC-1 | Order of Functions | Non-Critical | 5 |
| NC-2 | Order of Layout | Non-Critical | 3 |
| NC-3 | Floating pragma | Non-Critical | 1 |
| NC-4 | Typo | Non-Critical | 1 |
| NC-5 | Public functions can be external | Non-Critical | 2 |
| NC-6 | Missing NatSpec | Non-Critical | 2 |
| NC-7 | Open TODO | Non-Critical | 1 |
| NC-8 | Maximum line length exceeded | Non-Critical | 5 |
Loops that do not have a fixed number of iterations, for example, loops that depend on storage values, have to be used carefully: Due to the block gas limit, transactions can only consume a certain amount of gas. Either explicitly or just due to normal operation, the number of iterations in a loop can grow beyond the block gas limit, which can cause the complete contract to be stalled at a certain point.
Restrict the maximum number of elements.
According to Style Guide, ordering helps readers identify which functions they can call and to find the constructor and fallback definitions easier.
Functions should be grouped according to their visibility and ordered:
Reorder functions where possible.
According to Order of Layout, inside each contract, library or interface, use the following order:
Place modifiers before constructor.
Contracts should be deployed with the same compiler version. It helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
According to SWC-103, pragma version should be locked.
Typo in the comment.
// Next, we need to calculated the duration truncated to nearest releaseIntervalSecs
Change to:
"// Next, we need to calculate the duration truncated to nearest releaseIntervalSecs"
If functions are not called by the contract where they are defined, they can be declared external.
Make public functions external, where possible.
Add NatSpec for all functions.
Resolve issues.
Some lines of code are too long.
According to Style Guide, maximum suggested line length is 120 characters.
Make the lines shorter.
π Selected for report: IllIllI
Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xDanielC, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 0xsam, 2997ms, AkshaySrivastav, Amithuddar, Atarpara, Aymen0909, B2, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, Diraco, Funen, JC, JLevick, JohnSmith, Junnon, KIntern_NA, Lambda, MasterCookie, Matin, Noah3o6, Ocean_Sky, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, Saintcode_, Satyam_Sharma, Sm4rty, SnowMan, SooYa, Sta1400, StevenL, Tadashi, Tagir2003, TomJ, Tomio, Tomo, V_B, Waze, WilliamAmbrozic, Yiko, __141345__, a12jmx, adriro, ajtra, ak1, async, aysha, beardofginger, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, caventa, ch0bu, cryptostellar5, cryptphi, csanuragjain, d3e4, delfin454000, dharma09, djxploit, durianSausage, eighty, emrekocak, erictee, exd0tpy, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, got_targ, hxzy, ignacio, ikbkln, imare, indijanc, jag, jpserrat, karanctf, ladboy233, leosathya, lucacez, lukris02, m9800, malinariy, martin, medikko, mics, millersplanet, mrpathfindr, nalus, natzuu, neko_nyaa, oyc_109, pauliax, peanuts, pedroais, peiw, pfapostol, prasantgupta52, rbserver, ret2basic, rokinot, rotcivegaf, rvierdiiev, sach1r0, samruna, seyni, slowmoses, subtle77, supernova, tgolding55, tibthecat, tnevler, w0Lfrum, yaemsobak, zishansami
9.086 USDC - $9.09
During the audit, 6 gas issues were found.
| β | Title | Instance Count |
|---|---|---|
| G-1 | Postfix increment | 1 |
| G-2 | Initializing variables with default value | 3 |
| G-3 | > 0 is more expensive than =! 0 | 11 |
| G-4 | x += y is more expensive than x = x + y | 7 |
| G-5 | Using unchecked blocks saves gas | 1 |
| G-6 | Custom errors may be used | 24 |
Prefix increment costs less gas than postfix.
Consider using prefix increment where it is relevant.
It costs gas to initialize integer variables with 0 or bool variables with false but it is not necessary.
Remove initialization for default values.
For example:
for (uint256 i; i < array.length; ++i) {
> 0 is more expensive than =! 0Use =! 0 instead of > 0, where possible.
x += y is more expensive than x = x + yUse x = x + y instead of x += y.
Use x = x - y instead of x -= y.
In Solidity 0.8+, thereβs a default overflow and underflow check on unsigned integers. When an overflow or underflow isnβt possible, some gas can be saved by using unchecked blocks.
Change:
for (uint256 i; i < n; ++i) { // ... }
to:
for (uint256 i; i < n;) { // ... unchecked { ++i; } }
Custom errors from Solidity 0.8.4 are cheaper than revert strings.
For example, change:
require(address(_tokenAddress) != address(0), "INVALID_ADDRESS");
to:
error InvalidAddress(); ... if (address(_tokenAddress) == address(0)) revert InvalidAddress();