Open code423n4 opened 1 year ago
R
L
NC
Disputed as it's a script not a contract
R
L
Disagree for the specific instance of SupportsInterface codes
Disputed as ERC20 from solmate already has it https://github.com/transmissions11/solmate/blob/62e0943c013a66b2720255e2651450928f4eed7a/src/tokens/ERC20.sol#L116
2L 2R 1NC
Low
1. Mixing and Outdated compiler
The pragma version used are:
Note that mixing pragma is not recommended. Because different compiler versions have different meanings and behaviors, it also significantly raises maintenance costs. As a result, depending on the compiler version selected for any given file, deployed contracts may have security issues.
The minimum required version must be 0.8.16; otherwise, contracts will be affected by the following important bug fixes:
0.8.3:
0.8.4:
0.8.9:
0.8.13:
abi.encodeCall
in place of fixed bytes arguments.0.8.14:
calldatasize()
in all cases.0.8.15
bytes
arrays.0.8.16
Apart from these, there are several minor bug fixes and improvements.
2. Lack of checks
The following methods have a lack of checks if the received argument is an address, it's good practice in order to reduce human error to check that the address specified in the constructor or initialize is different than
address(0)
.Affected source code for
address(0)
:3. Lack of ACK during owner change
It's possible to lose the ownership under specific circumstances.
Because of human error it's possible to set a new invalid owner. When you want to change the owner's address it's better to propose a new owner, and then accept this ownership with the new wallet.
Affected source code:
4. Avoid using
tx.origin
tx.origin
is a global variable in Solidity that returns the address of the account that sent the transaction.Using the variable could make a contract vulnerable if an authorized account calls a malicious contract. You can impersonate a user using a third party contract.
This can make it easier to create a vault on behalf of another user with an external administrator (by receiving it as an argument).
Affected source code:
5. Unsafe math
A user supplied argument can be passed as zero to multiplication operation.
Reference:
Affected source code:
6. Integer overflow by unsafe casting
Keep in mind that the version of solidity used, despite being greater than
0.8
, does not prevent integer overflows during casting, it only does so in mathematical operations.It is necessary to safely convert between the different numeric types.
Recommendation:
Use a safeCast from Open Zeppelin.
Affected source code:
Non critical
7. Avoid hardcoded values
It is not good practice to hardcode values, but if you are dealing with addresses much less, these can change between implementations, networks or projects, so it is convenient to remove these values from the source code.
Affected source code:
Use the selector instead of the raw value:
8. Use tokens with ERC20 permit
The erc20 signature approval extension is a major usability enhancement that helps users and projects reap its benefits in the future.
The use of this feature is fully recommended.
Reference:
Affected source code:
9. Avoid hardcoded values
It is not good practice to hardcode values, but if you are dealing with addresses much less, these can change between implementations, networks or projects, so it is convenient to remove these values from the source code.
Affected source code:
Use the selector instead of the raw value: