Some fee parameters of functions are not checked for invalid values. Validate the parameters:
Code instance:
Cally.setFee (feeRate_)
Require with empty message
The following requires are with empty messages.
This is very important to add a message for any require. So the user has enough information to know the reason of failure.
Code instances:
Solidity file: SafeCastLib.sol, In line 39 with Empty Require message.
Solidity file: SafeCastLib.sol, In line 51 with Empty Require message.
Solidity file: SafeCastLib.sol, In line 21 with Empty Require message.
Solidity file: SafeCastLib.sol, In line 9 with Empty Require message.
Solidity file: SafeCastLib.sol, In line 33 with Empty Require message.
Require with not comprehensive message
The following requires has a non comprehensive messages.
This is very important to add a comprehensive message for any require. Such that the user has enough
information to know the reason of failure:
Code instances:
Solidity file: Test.sol, In line 257 with Require message: NotFound
Solidity file: Cally.sol, In line 354 with Require message: Not owner
Not verified input
external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.
Code instances:
ERC20.sol.permit spender
ERC20.sol.transferFrom to
ERC4626.sol.deposit receiver
ERC20.sol.approve spender
Cally.sol.transferFrom to
Solidity compiler versions mismatch
The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.
Code instance:
Use safe math for solidity version <8
You should use safe math for solidity version <8 since there is no default over/under flow check it suchversions of solidity.
Code instances:
The contract Test.sol doesn't use safe math and is of solidity version < 8
The contract base64.sol doesn't use safe math and is of solidity version < 8
The contract console.sol doesn't use safe math and is of solidity version < 8
The contract Vm.sol doesn't use safe math and is of solidity version < 8
Not verified owner
owner param should be validated to make sure the owner address is not address(0).
Otherwise if not given the right input all only owner accessible functions will be unaccessible.
Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing.
Furthermore, removing either the actual return or the named return will save gas.
The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer.
Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..
Code instances:
Cally.sol, createVault is missing a reentrancy modifier
Cally.sol, transferFrom is missing a reentrancy modifier
Cally.sol, buyOption is missing a reentrancy modifier
Cally.sol, exercise is missing a reentrancy modifier
Never used parameters
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
CREATE3.sol: function deploy parameter creationCode isn't used. (deploy is internal)
ERC4626.sol: function beforeWithdraw parameter shares isn't used. (beforeWithdraw is internal)
ERC4626.sol: function afterDeposit parameter assets isn't used. (afterDeposit is internal)
ERC4626.sol: function beforeWithdraw parameter assets isn't used. (beforeWithdraw is internal)
CREATE3.sol: function deploy parameter value isn't used. (deploy is internal)
Missing commenting
The following functions are missing commenting as describe below:
Code instances:
Cally.sol, tokenURI (public), parameter tokenId not commented
Cally.sol, transferFrom (public), parameters from, to, id not commented
Cally.sol, vaults (external), @return is missing
Cally.sol, tokenURI (public), @return is missing
Check transfer receiver is not 0 to avoid burned money
Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
CREATE3.sol: function deploy parameter creationCode isn't used. (deploy is internal)
ERC4626.sol: function beforeWithdraw parameter shares isn't used. (beforeWithdraw is internal)
ERC4626.sol: function afterDeposit parameter assets isn't used. (afterDeposit is internal)
ERC4626.sol: function beforeWithdraw parameter assets isn't used. (beforeWithdraw is internal)
CREATE3.sol: function deploy parameter value isn't used. (deploy is internal)
Missing commenting
The following functions are missing commenting as describe below:
Code instances:
Cally.sol, tokenURI (public), parameter tokenId not commented
Cally.sol, transferFrom (public), parameters from, to, id not commented
Cally.sol, vaults (external), @return is missing
Cally.sol, tokenURI (public), @return is missing
Add a timelock
To give more trust to users: functions that set key/critical variables should be put behind a timelock.
Mult instead div in compares
To improve algorithm precision instead using division in comparison use multiplication in the following scenario:
In all of the big and trusted contracts this rule is maintained.
Code instances:
Does not validate the input fee parameter
Some fee parameters of functions are not checked for invalid values. Validate the parameters:
Code instance:
Require with empty message
The following requires are with empty messages. This is very important to add a message for any require. So the user has enough information to know the reason of failure.
Code instances:
Require with not comprehensive message
The following requires has a non comprehensive messages. This is very important to add a comprehensive message for any require. Such that the user has enough information to know the reason of failure:
Code instances:
Not verified input
external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.
Code instances:
Solidity compiler versions mismatch
The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.
Code instance:
Use safe math for solidity version <8
You should use safe math for solidity version <8 since there is no default over/under flow check it suchversions of solidity.
Code instances:
Not verified owner
Code instances:
Named return issue
Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing. Furthermore, removing either the actual return or the named return will save gas.
Code instances:
Missing non reentrancy modifier
The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer. Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..
Code instances:
Never used parameters
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
Missing commenting
Code instances:
Check transfer receiver is not 0 to avoid burned money
Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.
Code instances:
Never used parameters
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
Missing commenting
Code instances:
Add a timelock
To give more trust to users: functions that set key/critical variables should be put behind a timelock.
Code instances: