Platform: Code4rena
Start Date: 11/01/2023
Pot Size: $60,500 USDC
Total HM: 6
Participants: 69
Period: 6 days
Judge: Trust
Total Solo HM: 2
Id: 204
League: ETH
Rank: 55/69
Findings: 1
Award: $36.24
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: CodingNameKiki
Also found by: 0x1f8b, 0x52, 0x5rings, 0xAgro, 0xSmartContract, 0xcm, 0xkato, 2997ms, Aymen0909, BClabs, BPZ, BRONZEDISC, Bauer, Bnke0x0, Deekshith99, IllIllI, Josiah, Kaysoft, RaymondFam, Rolezn, SaeedAlipoor01988, Tajobin, Udsen, Viktor_Cortess, adriro, arialblack14, betweenETHlines, btk, chaduke, chrisdior4, cryptphi, csanuragjain, cygaar, defsec, descharre, erictee, gzeon, hansfriese, horsefacts, joestakey, koxuan, lukris02, luxartvinsec, nicobevi, oyc_109, pavankv, peanuts, rbserver, scokaf, shark, tnevler, tsvetanovv, zaskoh
36.2377 USDC - $36.24
Vulnerability details
Contracts should be deployed using the same compiler version/flags with which they have been tested. Locking the floating pragma, i.e. by not using ^ in pragma solidity ^0.8.10, ensures that contracts do not accidentally get deployed using an older compiler version with unfixed bugs.
For reference, see https://swcregistry.io/docs/SWC-103
Manual Analysis
Remove ^ in “pragma solidity ^0.8.10” and change it to “pragma solidity 0.8.10” to be consistent with the rest of the contracts.
Vulnerability details
Some constant values are difficult to read at one time because they have a lot of 0's. Solidity allows _ to separate series of zero's
Manual Analysis
Replace 2628000 with 2_628_000 Replace 90000 with 90_000
Vulnerability details
It is a norm to declare the pragma version for example pragma solidity 0.8.17; before adding imports used in a solidity smart contract. In a list of contracts, the imports are added before the pragma solidity version. For ease of readability and as a norm, the pragma directive should be added before the imports in a solidity smart contract.
Manual Analysis
Add pragma solidity version before adding imports in contract e.g:
pragma solidity 0.8.16;
import "contracts/cash/kyc/KYCRegistryClient.sol";
Vulnerability details
Some contracts use block.timestamp which can be problematic as Miners can alter block.timestamp with the following restrictions.
It cannot bear a time stamp that is earlier than that of its parent. It won't be too long from now.
Manual Analysis
Vulnerability details
Delegatecall is difficult to utilize, and its application or misinterpretation might have disastrous effects.
Two considerations are necessary while utilizing delegatecall.
context is preserved via delegatecall (storage, caller, etc...) The contract calling delegatecall and the contract being called must have the same storage configuration.
Manual Analysis
Use stateless Library
#0 - c4-judge
2023-01-22T17:50:41Z
trust1995 marked the issue as grade-b