Floating Pragma used in CosmosToken.sol, Gravity.sol. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma (i.e. by not using ^) helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
Reference
CosmosToken.sol, Gravity.sol files are having Solidity compiler version is 0.6.6 which is outdated. Currently the compiler version is v0.8.13.
It's recommended to deploy the contracts with below Solidity compilers;
0.5.16 - 0.5.17
0.6.11 - 0.6.12
0.7.5 - 0.7.6
0.8.4 - 0.8.7 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing.
Reference
At Gravity.sol , an expensive loop is used by incrementing state_variable in a loop incurs a lot of gas because of expensive SSTOREs, which might lead to an out-of-gas.
function manageWhitelist(
address[] memory _users,
bool _isWhitelisted
) public onlyWhitelisted {
for (uint256 i = 0; i < _users.length; i++) {
require(
_users[i] != address(0),
"User is the zero address"
);
whitelisted[_users[i]] = _isWhitelisted;
}
emit WhitelistedStatusModified(msg.sender, _users, _isWhitelisted);
}
The self notes on Gravity.sol#L137-#138 to be removed.
EVM's ecrecover is susceptible to signature malleability which allows replay attacks, but using OpenZeppelin’s ECDSA library can be mitigation in Gravity.sol for verifySig() function. Reference
At Gravity.sol, submitBatch() function, _destinations param should be checked for having address(0) inside.
QA (LOW - NON-CRITICAL)
Floating Pragma used in
CosmosToken.sol,Gravity.sol. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma (i.e. by not using ^) helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively. ReferenceCosmosToken.sol,Gravity.solfiles are having Solidity compiler version is 0.6.6 which is outdated. Currently the compiler version is v0.8.13.It's recommended to deploy the contracts with below Solidity compilers;
0.5.16 - 0.5.17 0.6.11 - 0.6.12 0.7.5 - 0.7.6 0.8.4 - 0.8.7 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing. Reference
At Gravity.sol , an expensive loop is used by incrementing state_variable in a loop incurs a lot of gas because of expensive SSTOREs, which might lead to an out-of-gas.
The self notes on Gravity.sol#L137-#138 to be removed.
EVM's ecrecover is susceptible to signature malleability which allows replay attacks, but using OpenZeppelin’s ECDSA library can be mitigation in Gravity.sol for
verifySig()function. ReferenceAt Gravity.sol,
submitBatch()function,_destinationsparam should be checked for having address(0) inside.