Platform: Code4rena
Start Date: 14/04/2023
Pot Size: $90,500 USDC
Total HM: 7
Participants: 59
Period: 14 days
Judge: LSDan
Total Solo HM: 3
Id: 232
League: ETH
Rank: 30/59
Findings: 1
Award: $59.79
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Sathish9098
Also found by: 0x73696d616f, 0xAgro, 0xSmartContract, 0xTheC0der, ABA, ArbitraryExecution, Aymen0909, BRONZEDISC, Bauchibred, Dyear, Eurovickk, IceBear, Jerry0x, Jorgect, Josiah, MalfurionWhitehat, MohammedRizwan, RaymondFam, Recep, Rickard, SAAJ, Shubham, Udsen, auditor0517, brgltd, catellatech, chaduke, codeslide, eierina, favelanky, j4ld1na, lukris02, matrix_0wl, naman1778, pontifex, schrodinger, tnevler, urataps
59.7928 USDC - $59.79
During the audit, 3 low and 9 non-critical issues were found.
| â„– | Title | Risk Rating | Instance Count |
|---|---|---|---|
| L-1 | Use the two-step-transfer of ownership | Low | 1 |
| L-2 | Missing check for zero address | Low | 2 |
| L-3 | Add more information in the events | Low | 3 |
| NC-1 | Typos | Non-Critical | 3 |
| NC-2 | Unused event | Non-Critical | 1 |
| NC-3 | Order of Layout | Non-Critical | 5 |
| NC-4 | Unused named return variables | Non-Critical | 8 |
| NC-5 | Use mixedCase for state variables and SNAKE_CASE for constants | Non-Critical | 7 |
| NC-6 | Visibility is not set | Non-Critical | 11 |
| NC-7 | Missing leading underscores | Non-Critical | 15 |
| NC-8 | Natspec is incomplete | Non-Critical | 5 |
| NC-9 | Missing NatSpec | Non-Critical | 31 |
If the owner accidentally transfers ownership to an incorrect address, protected functions may become permanently inaccessible.
import "./Owned.sol";Consider using a two-step-transfer of ownership: the current owner would nominate a new owner, and to become the new owner, the nominated account would have to approve the change, so that the address is proven to be valid.
If address(0x0) is set it may cause the contract to revert or work wrong.
Add checks.
Some events are missing important information.
emit NewPublicSuffixList(address(suffixes)); (include old suffixes value)emit AlgorithmUpdated(id, address(algo)); (include old id and algo values)emit DigestUpdated(id, address(digest)); (include old id and digest values)* contents of the two bytes are equal. Comparison is done per-rune, (per-rune)* @dev Compares a range of 'self' to all of 'other' and returns True iff (iff => if)* @return True iff the signature is valid. (iff => if)Check if the event was meant to be used but forgotten. Consider deleting it if it is not needed.
According to Order of Layout, inside each contract, library or interface, use the following order:
Modifiers should be placed before functions and constructor:
Constants should be placed before functions:
Place modifiers and all constants before constructor.
Both named return variable(s) and return statement are used.
return _enableNode(domain, 0);return uint8(self[idx]);return self.substring(offset, len);return true;return false;return verifyRRSet(input, block.timestamp);return (proof, inception);return rrset;To improve clarity use only named return variables.
For example, change:
function functionName() returns (uint id) { return x;
to
function functionName() returns (uint id) { id = x;
According to Naming Conventions, state variables should use mixedCase (See), and constants should use SNAKE_CASE (See).
Use mixedCase:
uint256 otheroffset,uint256 otherlenuint256[2] memory Quint256[3] memory P = addAndReturnProjectivePoint(x1, y1, x2, y2);uint256 Px = inverseMod(P[2], p);Use SNAKE_CASE:
For example, change to:
uint256 otherOffset
uint256 constant a =uint256 constant b =uint256 constant gx =uint256 constant gy =uint256 constant p =uint256 constant n =uint256 constant lowSmax =uint16 constant DNSCLASS_IN = 1;uint16 constant DNSTYPE_DS = 43;uint16 constant DNSTYPE_DNSKEY = 48;uint256 constant DNSKEY_FLAG_ZONEKEY = 0x100;It is better to specify visibility explicitly.
Internal and private functions should have a leading underscore.
function parseRR(function readTXT(function parseAndResolve(function resolveName(function textNamehash(function parseSignature(function parseKey(function validateSignedSet(function validateRRs(function verifySignature(function verifyWithKnownKey(function verifySignatureWithKey(function verifyWithDS(function verifyKeyWithDS(function verifyDSHash(Add leading underscores where needed.
Not all function parameters are described in NatSpec.
i1 and i2)message, rs, and Q)base, exponent, and modulus)rrset)keyrdata) missing)NatSpec is missing for 31 functions in 12 contracts:
Add NatSpec for all functions.
#0 - thereksfour
2023-05-02T03:38:42Z
L-2 NC-1 is valid
#1 - c4-judge
2023-05-09T10:40:22Z
dmvt marked the issue as grade-b