Platform: Code4rena
Start Date: 08/03/2023
Pot Size: $60,500 USDC
Total HM: 2
Participants: 123
Period: 7 days
Judge: hansfriese
Id: 220
League: ETH
Rank: 87/123
Findings: 1
Award: $29.67
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0x1f8b, 0x6980, 0xAgro, 0xSolus, 0xhacksmithh, 0xkazim, ABA, BPZ, BowTiedOriole, ChainReview, DadeKuma, DeFiHackLabs, Deathstore, DevABDee, Diana, Dravee, Dug, Englave, Go-Langer, Haipls, IceBear, Inspex, Jeiwan, Kek, Kresh, Madalad, MatricksDeCoder, MyFDsYours, RaymondFam, Rolezn, SAAJ, Sathish9098, Taloner, Udsen, Viktor_Cortess, atharvasama, ayden, brgltd, btk, carlitox477, catellatech, chaduke, codeislight, deadrxsezzz, descharre, erictee, fatherOfBlocks, favelanky, glcanvas, handsomegiraffe, jasonxiale, jekapi, joestakey, lemonr, luxartvinsec, martin, matrix_0wl, minhquanym, mrpathfindr, nadin, oyc_109, parsely, peanuts, pfedprog, rbserver, rokso, saian, santipu_, scokaf, slvDev, tsvetanovv, ubl4nk, ulqiorra, yamapyblack, zaskoh
29.6697 USDC - $29.67
| Number | Issues Details |
|---|---|
| [L-01] | Missing checks for address(0x0) |
| [L-02] | Missing event for critical parameter change |
| Number | Issues Details |
|---|---|
| [NC-01] | Use stable pragma statement |
| [NC-02] | Use named imports instead of plain import FILE.SOL |
| [NC-03] | Update external dependency to latest version |
| [NC-04] | Solidity compiler optimizations can be problematic |
| [NC-05] | Constant values such as a call to keccak256(), should used to immutable rather than constant |
| [NC-06] | Constants should be defined rather than using magic numbers |
| [NC-07] | You can use named parameters in mapping types |
Lack of zero-address validation on address parameters may lead to transaction reverts, waste gas, require resubmission of transactions and may even force contract redeployments in certain cases within the protocol.
BYTES2.sol 81: BYTES1 = _bytes; 82: S1_CITIZEN = _s1Citizen; 83: STAKER = _staker; 84: TREASURY = _treasury; 114: function getReward ( 115: address _to 140: function burn ( 141: address _from, NeoTokyoStaker.sol 588: constructor ( 589: address _bytes, 590: address _s1Citizen, 591: address _s2Citizen, 592: address _lpToken, 593: address _identity, 594: address _vault, 595: uint256 _vaultCap, 596: uint256 _noVaultCap ) {
Consider adding explicit zero-address validation on input parameters of address type.
Emitting events allows monitoring activities with off-chain monitoring tools.
BYTES2.sol 114: function getReward ( 115:Â Â Â Â address _to 116:Â Â ) external { 140: function burn ( 141:Â Â Â Â address _from, 142:Â Â Â Â uint256 _amount 143:Â Â ) hasValidPermit(UNIVERSAL, BURN) external {
Using a floating pragma statement ^0.8.19 is discouraged as code can compile to different bytecodes with different compiler versions. Use a stable pragma statement to get a deterministic bytecode.
IMPORT FILE.SOLRecommendation: `import {contract1 , contract2} from "filename.sol";
The latest version is 4.8.2
package.json:
9: "@openzeppelin/contracts-upgradeable": "^4.4.2",
hardhat.config.js
compilers: {   solc: {    version: '0.8.11', and version: '0.8.19',    settings: {     optimizer: {      enabled: true,      runs: 200,      details: {      yul: true      },     },    },   },  },
Protocol has enabled optional compiler optimizations in Solidity. There have been several optimization bugs with security implications. Moreover, optimizations are actively being developed. Solidity compiler optimizations are disabled by default, and it is unclear how many contracts in the wild actually use them.
There is a difference between constant variables and immutable variables, and they should each be used in their appropriate contexts.
While it doesn’t save any gas because the compiler knows that developers often make this mistake, it’s still best to use the right tool for the task at hand.
Constants should be used for literal values written into the code, and immutable variables should be used for expressions, or values calculated in, or passed into the constructor.
BYTES2.sol 37: bytes32 public constant BURN = keccak256("BURN"); 40: bytes32 public constant ADMIN = keccak256("ADMIN"); NeoTokyoStaker.sol 206: bytes32 public constant CONFIGURE_LP = keccak256("CONFIGURE_LP"); 209: bytes32 public constant CONFIGURE_TIMELOCKS = keccak256( 214: bytes32 public constant CONFIGURE_CREDITS = keccak256("CONFIGURE_CREDITS"); 217: bytes32 public constant CONFIGURE_POOLS = keccak256("CONFIGURE_POOLS"); 220: bytes32 public constant CONFIGURE_CAPS = keccak256("CONFIGURE_CAPS");
BYTES2.sol 152: treasuryShare = _amount * 2 / 3; NeoTokyoStaker.sol 962: uint256 timelockDuration = _timelock >> 128; 1113: (seasonId << 128) + citizenId, 1140: uint256 timelockDuration = _timelock >> 128; 1205: if (uint8(_assetType) > 4) { 1389: uint256 daoShare = share * pool.daoTax / (100 * _DIVISOR);
From Solidity 0.8.18 you can use named parameters in mapping types.
#0 - c4-judge
2023-03-17T02:49:45Z
hansfriese marked the issue as grade-b