Platform: Code4rena
Start Date: 07/10/2022
Pot Size: $50,000 USDC
Total HM: 4
Participants: 62
Period: 5 days
Judge: 0xean
Total Solo HM: 2
Id: 169
League: ETH
Rank: 12/62
Findings: 1
Award: $602.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0x1f8b, 0x4non, 0xNazgul, Bnke0x0, Chom, IllIllI, Josiah, Rahoz, RaymondFam, Trust, Waze, ajtra, bobirichman, brgltd, bulej93, c3phas, cccz, chrisdior4, delfin454000, fatherOfBlocks, gogo, ladboy233, mcwildy, mics, nicobevi, oyc_109, rbserver, rotcivegaf, zzzitron
602.1213 USDC - $602.12
A state variable of type 'address' is set without a non-zero verification. This can lead to undesired behavior.
Missing checks for zero-addresses may lead to infunctional protocol. In this case the function is an initializer then the value can be passed only once and is important to be validated. If the variable addresses are updated incorrectly.
For instance, GraphCurationToken.sol#L26
The following calls ignores the return value of the called function that might indicate the the call failed.
The process of transferring ownership is dangerous since typing the wrong address can lead to severe implications. It is better to have to steps verification process with set and claim functions to decrease the chances of human error. Consider changing to two steps verification process of transferring privileges. Human mistakes can happen.
You should use if-revert or require statements instead of assertions in production.
Some contracts does not support 0 transfer, then the transaction will revert with no explanation. We recommend to add a require statement that the amount is not 0.
I didn't see a use of using payable in the following functions, consider changing it.
There is no check for the access to be in the array bounds.
Use openzeppelin safeTransfer() method instead of transfer() in the following locations.
A good practice is to use constant variables instead of hardcoded strings in the code.
When changing state variables events are not emitted. Emitting events allows monitoring activities with off-chain monitoring tools.
To record the initialize parameters for off-chain monitoring and transparency reasons, you might find it useful to emit an event after the initialize() functions
For instance, GraphCurationToken.sol#L26
#0 - pcarranzav
2022-10-19T18:10:38Z
Some of the QA issues reported here are valid as noted in other reports, but it's worth noting several of the reported issues are for files that are out of scope.