Back to nogo's contests

Astaria contest - nogo's results

On a mission is to build a highly liquid NFT lending market.

General Information

Platform: Code4rena

Start Date: 05/01/2023

Pot Size: $90,500 USDC

Total HM: 55

Participants: 103

Period: 14 days

Judge: Picodes

Total Solo HM: 18

Id: 202

League: ETH

Astaria

Findings Distribution

Researcher Performance

Rank: 60/103

Findings: 2

Award: $88.11

QA:
grade-b
Gas:
grade-b

๐ŸŒŸ Selected for report: 0

๐Ÿš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAstaria

Findings Information

๐ŸŒŸ Selected for report: ladboy233

Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xbepresent, 0xkato, Aymen0909, CodingNameKiki, Cryptor, Deekshith99, Deivitto, HE1M, IllIllI, Kaysoft, Koolex, PaludoX0, Qeew, RaymondFam, Rolezn, Sathish9098, Tointer, a12jmx, arialblack14, ast3ros, ayeslick, bin2chen, btk, caventa, ch0bu, chaduke, chrisdior4, delfin454000, descharre, evan, fatherOfBlocks, georgits, gz627, jasonxiale, joestakey, kaden, lukris02, nicobevi, nogo, oberon, oyc_109, pfapostol, rbserver, sakshamguruji, seeu, shark, simon135, slvDev, synackrst, tnevler, whilom, zaskoh

Awards

51.3151 USDC - $51.32

Labels

bug
grade-b
QA (Quality Assurance)
Q-37

External Links

Link to GitHub issue

QA

[L-01] Documentation and code mismatch

The documentation is stating that a borrower can take up to 5 loans against the same NFT, but the code is not limiting the borrower. Considering adding a check to limit the number of loans or update the documentation.

[L-02] init method is callable multiple times

Upgradable contracts should be initialized only once. Consider adding a check to prevent multiple calls to the init method. Even if the method is technically not callable by anyone and it is setting the delegate address and the allow list. It is still a good practice to add a check to prevent multiple calls.

[L-03] Open TODOs

Code architecture, incentives, and error handling/reporting questions/issues should be resolved before deployment.

// check for rounding error since we round down in previewRedeem.

[L-04] Useless casting

ERC20 tokenContract = ERC20(tokenAddress);

[L-05] Prefer external over public for function not called internally by the contract

[L-06] Follow the order layout in contract

As mentioned in solidity documention, it is recommended to follow the order layout in contract.

  1. Type declarations
  2. State variables
  3. Events
  4. Modifiers
  5. Functions

[N-01] NATSPEC IS MISSING

NatSpec is missing for some functions.

[N-02] Using switch statement instead of if-else

Considering the number of conditions, it is recommended to use switch statement instead of if-else.

[N-03] Use pure instead of view for functions that do not read from storage

[N-04] Remove functions that are not used

[N-05] Pragma experimental abiencoderV2 is deprecated

Use pragma abicoder v2 instead

[N-06] require()/revert() statements should have descriptive reason strings

#0 - c4-judge

2023-01-26T14:38:23Z

Picodes marked the issue as grade-b

Findings Information

๐ŸŒŸ Selected for report: c3phas

Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xackermann, 0xkato, Aymen0909, Bnke0x0, CloudX, IllIllI, PaludoX0, Rageur, Rahoz, RaymondFam, ReyAdmirado, Rolezn, SadBase, SaeedAlipoor01988, caventa, chaduke, chrisdior4, fatherOfBlocks, fs0c, kaden, nogo, pfapostol, shark, synackrst

Awards

36.79 USDC - $36.79

Labels

bug
G (Gas Optimization)
grade-b
G-16

External Links

Link to GitHub issue

Gas optimizations

[G-01] Using > 0 costs more gas than != 0 when used on a uint in a require() statement

[G-02] Functions guaranteed to revert when called by normal users can be marked payable

No additional checks are required since the function can accept both zero or non-zero values of ether.

[G-03] Reject earlier when possible

_validateCommitment can be called at the begining of the function to save gas. This will also improve readability.

[G-04] Unused imports can be removed

[G-05] Use custom errors rather than rever()/require() strings to save gas

Custom errors are available from solidity version 0.8.0. Custom errors save ~50 gas each time theyโ€™re hit by avoiding having to allocate and store the revert string. Not defining the strings also save deployment gas.

[G-05] Using bool for storage brings overhead

Booleans are more expensive than uint256 or any type that takes up a full word because each write operation emits an extra SLOAD to first read the slot's contents, replace the bits taken up by the boolean, and then write back. This is the compiler's defense against contract upgrades and pointer aliasing, and it cannot be disabled. Use uint256(1) and uint256(2) for true/false instead

[G-06] Use assembly for address 0 check

Example

assembly {
 if iszero(_addr) {
  mstore(0x00, "zero address")
  revert(0x00, 0x20)
 }
}

[G-07] Internal function never used can be removed

Try to keep the number of internal and private functions to a minimum to balance function complexity and quantity. In turn, this will help you reduce gas fees upon execution by reducing the number of function calls. However, keep in mind that having too large functions makes testing more difficult and even jeopardizes security.

function _settleAuction(CollateralStorage storage s, uint256 collateralId)
  internal
{
  delete s.collateralIdToAuction[collateralId];
}

[G-08] Use named returns for local variables

[G-09] Remove unused variables

#0 - c4-judge

2023-01-25T23:52:16Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax ยฉ 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter