Platform: Code4rena
Start Date: 17/03/2023
Pot Size: $36,500 USDC
Total HM: 10
Participants: 98
Period: 3 days
Judge: leastwood
Total Solo HM: 5
Id: 223
League: ETH
Rank: 67/98
Findings: 1
Award: $22.77
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Sathish9098
Also found by: 0xAgro, 0xSmartContract, 0xdaydream, 0xnev, Awesome, Aymen0909, BRONZEDISC, Bauchibred, Deathstore, Diana, IceBear, Jerry0x, Kresh, Matin, Rolezn, Stryder, T1MOH, Udsen, adriro, alejandrocovrr, atharvasama, codeslide, cryptonue, descharre, igingu, jack, joestakey, libratus, lukris02, luxartvinsec, nadin, nasri136, reassor, scokaf, shark, slvDev, tnevler
22.7749 USDC - $22.77
Vulnerability details
Word & typing typos
File: Namespace.sol
occurence can be changed to occurrence in the following comment.
Manual Analysis
Vulnerability details
Solidity code is also cleaner in another way that might not be noticeable: the struct Point. We were importing it previously with global import but not using it. The Point struct polluted the source code with an unnecessary object we were not using because we did not need it. This was breaking the rule of modularity and modular programming: only import what you need Specific imports with curly braces to allow us to apply this rule better.
File: src/ProfilePicture.sol.sol
File: src/Bio..sol
File: src/Namespace.sol
File: src/Tray.sol
File: src/Utils.sol
Manual Analysis
import {contract1 , contract2} from "filename.sol";
import {Owned} from "solmate/auth/Owned.sol"; import {ERC721} from "solmate/tokens/ERC721.sol"; import {LibString} from "solmate/utils/LibString.sol"; import {MerkleProofLib} from "solmate/utils/MerkleProofLib.sol"; import {FixedPointMathLib} from "solmate/utils/FixedPointMathLib.sol"; import {ERC1155, ERC1155TokenReceiver} from "solmate/tokens/ERC1155.sol"; import {toWadUnsafe, toDaysWadUnsafe} from "solmate/utils/SignedWadMath.sol";
Vulnerability details
The solidity documentation recommends a maximum of 120 characters.
For reference, see https://docs.soliditylang.org/en/v0.8.17/style-guide.html#maximum-line-length
2 Files, 5 Instances
Manual Analysis
Consider adding a limit of 120 characters or less to prevent large lines.
Vulnerability details
Interchangeable usage of uint and uint256. Below are instances where uint was used rather than uint256 like in the rest of the code.
File: src/Bio.sol
Manual Analysis
Consider using only one approach throughout the codebase, e.g. only uint or only uint256.
Vulnerability details
NFT thefts have increased recently, so with the addition of hacked NFTs to the platform, NFTs can be converted into liquidity. To prevent this, I recommend adding the blacklist function.
Marketplaces such as Opensea have a blacklist feature that will not list NFTs that have been reported theft, NFT projects such as Manifold have blacklist functions in their smart contracts.
Here is the project example; Manifold
Manifold Contract https://etherscan.io/address/0xe4e4003afe3765aca8149a82fc064c0b125b9e5a#code
Manual Analysis
Add to Blacklist function and modifier.
Example
modifier nonBlacklistRequired(address extension) { require(!_blacklistedExtensions.contains(extension), "Extension blacklisted"); _; }
Vulnerability details
There are occasions where certain numbers have been hardcoded, either in variables or in the code itself. Large numbers can become hard to read.
File: src/Utils.sol
Manual Analysis
Consider using underscores for number literals to improve their readability.
Vulnerability details
Uppercase immutable variables
File: Tray.sol
uint256 public immutable trayPrice;
address public immutable namespaceNFT;
File: Namespace.sol
Tray public immutable tray;
File: ProfilePicture.sol
ICidNFT private immutable cidNFT;
Manual Analysis
Immutable Variables should be UPPERCASE
Vulnerability details
Missing NatSpec
Consider adding specifications to the following code blocks:
File: Tray.sol
error CallerNotAllowedToBurn(); error TrayNotMinted(uint256 tokenID); error OnlyOwnerCanMintPreLaunch(); error MintExceedsPreLaunchAmount(); error PrelaunchTrayCannotBeUsedAfterPrelaunch(uint256 startTokenId); error PrelaunchAlreadyEnded();
File: ProfilePicture.sol https://github.com/code-423n4/2023-03-canto-identity/blob/077372297fc419ea7688ab62cc3fd4e8f4e24e66/canto-pfp-protocol/src/ProfilePicture.sol#L50-L52
File: Utils.sol
Manual Analysis
Add NatSpec comments accordingly.
Vulnerability details
At the start of the project, the system may need to be stopped or upgraded, I suggest you have a script beforehand and add it to the documentation. This can also be called an ” EMERGENCY STOP (CIRCUIT BREAKER) PATTERN “.
For reference, see https://github.com/maxwoe/solidity_patterns/blob/master/security/EmergencyStop.sol
Manual Analysis
Create upgrade and stop scenario
Vulnerability details
Use of bytes.concat() instead of abi.encodePacked(,)
Rather than using abi.encodePacked for appending bytes, since version 0.8.4, bytes.concat() is enabled
File: Utils.sol
Manual Analysis
Since version 0.8.4 for appending bytes, bytes.concat() can be used instead of abi.encodePacked(,).
#0 - c4-judge
2023-04-11T16:05:47Z
0xleastwood marked the issue as grade-b