Platform: Code4rena
Start Date: 06/03/2023
Pot Size: $36,500 USDC
Total HM: 8
Participants: 93
Period: 3 days
Judge: cccz
Total Solo HM: 3
Id: 218
League: ETH
Rank: 57/93
Findings: 1
Award: $21.70
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xfuje, 0xkazim, 0xnev, Aymen0909, Bason, Cyfrin, DadeKuma, LethL, Madalad, MohammedRizwan, Rolezn, SAAJ, SunSec, Udsen, Yukti_Chinta, ast3ros, bin2chen, brgltd, bshramin, btk, bugradar, catellatech, cryptostellar5, descharre, dontonka, erictee, fatherOfBlocks, georgits, glcanvas, hl_, horsefacts, igingu, juancito, lukris02, martin, nadin, nomoi, peanuts, pipoca, sakshamguruji, seeu, slvDev, tnevler, zaskoh
21.7018 USDC - $21.70
Wenwin QA report was done by martin, with a main focus on the low severity and non-critical security aspects of the implementaion and logic of the project.
The following issues were found, categorized by their severity:
_safeMint() should be used rather than _mint() wherever possibleWhen minting NFTs, the code uses _safeMint function of the OZ reference implementation. This function is safe because it checks whether the receiver can receive ERC721 tokens. The can prevent the case that a NFT will be minted to a contract that cannot handle ERC721 tokens. However, this external function call creates a security loophole. Specifically, the attacker can perform a reentrant call inside the onERC721Received callback. More detailed information why a reeentrancy can occur - https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a.
74: _mint(msg.sender, amount);
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol
19: _mint(msg.sender, INITIAL_SUPPLY); 26: _mint(account, amount);
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryToken.sol
revert() should be used instead of assert()The comment above clarifies that it must hold after this call, in such case it's better to add the check and revert providing a description of necessary.
147: assert(initialPot > 0);
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol
ClaimedRewards event is called earlyEvent is actually emit before the action, event emits should be moved after the action. Otherwise it might cause incorrectly emitted event.
155: emit ClaimedRewards(beneficiary, claimedAmount, rewardType);
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol
Should be a modifier instead.
279: function requireFinishedDraw(uint128 drawId) internal view override {
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol
Using a floating pragma statement is discouraged as code can compile to different bytecodes with different compiler versions. Use a stable pragma statement to get a deterministic bytecode. Also use the latest Solidity version in all files if possible to get all compiler features, bugfixes, and optimizations.
return variables anywhere in the function is confusingConsider changing the variable to be an unnamed one
120: function fixedReward(uint8 winTier) public view override returns (uint256 amount) {
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol
Add NatSpec docs for all external functions so their intentions are clear.
#0 - thereksfour
2023-03-12T09:41:53Z
1 L 2 INFO 4 NC
#1 - c4-judge
2023-03-12T09:42:03Z
thereksfour marked the issue as grade-c
#2 - c4-judge
2023-03-12T11:45:46Z
thereksfour marked the issue as grade-b
#3 - c4-sponsor
2023-03-14T10:26:05Z
0xluckydev marked the issue as sponsor confirmed
#4 - 0xluckydev
2023-03-14T10:26:09Z
Low