search

code-423n4 / 2022-09-nouns-builder-findings

10 stars 6 forks source link

QA Report #464

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

EVENT IS MISSING INDEXED FIELDS

Each event should use three indexed fields if there are three or more fields.

src/auction/IAuction.sol
22:     event AuctionBid(uint256 tokenId, address bidder, uint256 amount, bool extended, uint256 endTime);
28:     event AuctionSettled(uint256 tokenId, address winner, uint256 amount);
34:     event AuctionCreated(uint256 tokenId, uint256 startTime, uint256 endTime);

src/governance/governor/IGovernor.sol
18-26:
    event ProposalCreated(
        bytes32 proposalId,
        address[] targets,
        uint256[] values,
        bytes[] calldatas,
        string description,
        bytes32 descriptionHash,
        Proposal proposal
    );
42:    event VoteCast(address voter, bytes32 proposalId, uint256 support, uint256 weight, string reason);

src/governance/treasury/ITreasury.sol
22:    event TransactionExecuted(bytes32 proposalId, address[] targets, uint256[] values, bytes[] payloads);

src/lib/interfaces/IERC721Votes.sol
19:    event DelegateVotesChanged(address indexed delegate, uint256 prevTotalVotes, uint256 newTotalVotes);

src/manager/IManager.sol
21:    event DAODeployed(address token, address metadata, address auction, address treasury, address governor);

src/token/IToken.sol
21:    event MintScheduled(uint256 baseTokenId, uint256 founderId, Founder founder);

AVOID FLOATING PRAGMAS: THE VERSION SHOULD BE LOCKED

The pragma declared across the contract range from ^0.8.4- ^0.8.15. Locking the pragma (for e.g. by not using ^ in pragma solidity 0.8.15) ensures that contracts do not accidentally get deployed using an older compiler version with unfixed bugs. (see here)

use string.concat() instead of abi.encodePacked()

src/token/metadata/MetadataRenderer.sol
208-213:
        queryString = abi.encodePacked(
            "?contractAddress=",
            Strings.toHexString(uint256(uint160(address(this))), 20),
            "&tokenId=",
            Strings.toString(_tokenId)
        );
243-244:
        aryAttributes = abi.encodePacked(aryAttributes, '"', property.name, '": "', item.name, '"', isLast ? "" : ",");
        queryString = abi.encodePacked(queryString, "&images=", _getItemImage(item, property.name));
258-260:
        string(
            abi.encodePacked(ipfsData[_item.referenceSlot].baseUri, _propertyName, "/", _item.name, ipfsData[_item.referenceSlot].extension)
        )
272-280:
        abi.encodePacked(
            '{"name": "',
            settings.name,
            '", "description": "',
            settings.description,
            '", "image": "',
            settings.contractImage,
            '"}'
        )
290-303:
        abi.encodePacked(
            '{"name": "',
            settings.name,
            " #",
            LibUintToString.toString(_tokenId),
            '", "description": "',
            settings.description,
            '", "image": "',
            settings.rendererBase,
            queryString,
            '", "properties": {',
            aryAttributes,
            "}}"
        )
309:
        return string(abi.encodePacked("data:application/json;base64,", Base64.encode(_jsonBlob)));

Refer to Solidity Documents.

GalloDaSballo commented 1 year ago

2 NC