Platform: Code4rena
Start Date: 29/06/2022
Pot Size: $50,000 USDC
Total HM: 20
Participants: 133
Period: 5 days
Judge: hickuphh3
Total Solo HM: 1
Id: 142
League: ETH
Rank: 88/133
Findings: 1
Award: $47.18
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: xiaoming90
Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xSolus, 0xf15ers, 0xsanson, AmitN, Bnke0x0, BowTiedWardens, Chom, David_, ElKu, Funen, GalloDaSballo, GimelSec, Hawkeye, IllIllI, JC, JohnSmith, Kaiziron, Kenshin, Lambda, Limbooo, MadWookie, Metatron, MiloTruck, Nethermind, Picodes, ReyAdmirado, Sneakyninja0129, StErMi, TomJ, Treasure-Seeker, TrungOre, Waze, Yiko, _Adam, __141345__, antonttc, async, aysha, catchup, cccz, cryptphi, csanuragjain, danb, datapunk, defsec, delfin454000, dirk_y, doddle0x, durianSausage, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hubble, itsmeSTYJ, joestakey, oyc_109, pedroais, peritoflores, rajatbeladiya, reassor, robee, rokinot, samruna, saneryee, sashik_eth, shenwilly, shung, simon135, sseefried, unforgiven, zer0dot, zzzitron
47.178 USDC - $47.18
QA report
Code: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L268
Description: Above code used both parameterized return and a return statement. Since this function is only returning one value, no need to do return twice.
return positionId
Mitigation: Only keep one return
Code: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L427 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L293 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L327 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L351 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L498 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L598-599
Mitigation: Checking for !=0 saves some gas.
Code: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L318
Description: In above function, event FilledOrder() is emitted before the transaction is complete. If the purpose of event is just to inform about the order, then this is fine. But if the purpose if leave trace about entire transaction, then this should be last statement in the function.
Mitigation: Please emit only after the transaction is complete.
Code: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L323-378
Description: Above code can be extracted into a separate function for readaility. Also the conditions can be arranged in much better way for anyone to understand the flow.
Mitigation: Add another internal function processOrder(order)
function processOrder(Order memory order) internal returns (uint256 positionId) { bool isCall = order.isCall; bool isLong = order.isLong
if (isCall) { . . . if (!isCall) { . . return positionId=... } else (isCall) { . . return positionId=... } }
} repeat same for isLong
This will help the readaility, flow and may be make the contract better arranged.
Above two code lines are similar checks. They can be turned into modifiers for readability