Open code423n4 opened 2 years ago
simon-something
commented
2 years ago 4 and 5 are pretty generic, feels like it is not for our codebase (EIP165 is implemented in the contract quoted and the delagate is not updatable, initialize is to palliate the lack of constructor, as the contract is cloned)
Picodes
commented
2 years ago 1, 2, 3, 4 are valid.
For 2, the comment mentions abi.encode which is not the same as string.concat or abi.encodePacked
c4-judge
commented
2 years ago Picodes marked the issue as grade-b
Low
1. Outdated packages
Some used packages are out of date, it is good practice to use the latest version of these packages:
Reference:
2. Use
string.concatinstead ofabi.encodePackedTthere is a discussion about removing
abi.encodePackedfrom future versions of Solidity (ethereum/solidity#11593), so usingabi.encodenow will ensure compatibility in the future.Affected source code:
3. Integer overflow by unsafe casting
Keep in mind that the version of solidity used, despite being greater than
0.8, does not prevent integer overflows during casting, it only does so in mathematical operations.It is necessary to safely convert between the different numeric types.
Recommendation:
Use a safeCast from Open Zeppelin.
Affected source code:
4. Lack of checks
supportsInterfaceThe
EIP-165standard helps detect that a smart contract implements the expected logic, prevents human error when configuring smart contract bindings, so it is recommended to check that the received argument is a contract and supports the expected interface.Reference:
Affected source code:
5. Lack of
initializeprotectionsThe following contracts are updateable, and follow the update pattern, these contracts contain an
initializemethod to set the contract once, but anyone can call this method, this will spend project fuel if someone tries to initialize it before the project.It is recommended to check the sender when initializing the contract.
Affected source code: