Closed code423n4 closed 1 year ago
L
Disagree, in this case it's a dev check, it's fine
Disputed, the variable is a DX tool, no storage / caching happens
Disputed per Readme
NC
After further reading, with the timestamp report and the timelock report, am closing as unsatisfactory as I believe most of the report is unfocused and could have been better customized for the sponsor.
GalloDaSballo marked the issue as grade-c
Missing checks for
address(0x0)
when assigning values toaddress
state variablesMissing checks for zero-addresses may lead to infunctional protocol, if the variable addresses are updated incorrectly.
Upgradeable contract is missing a
__gap[50]
storage variable to allow for new storage variables in later versionsWhile some contracts may not currently be sub-classed, adding the variable now protects against forgetting to add it in the future.
Use of
assert()
instead ofrequire()
Contracts use
assert()
instead ofrequire()
in multiple places. This causes a Panic error on failure and prevents the use of error strings.Prior to solc 0.8.0, assert() used the invalid opcode which used up all the remaining gas while require() used the revert opcode which refunded the gas and therefore the importance of using require() instead of assert() was greater. However, after 0.8.0, assert() uses revert opcode just like require() but creates a Panic(uint256) error instead of Error(string) created by require().
Cross-Chain Replay
attackStoring the
block.chainid
is not safe.open
TODO
commentsCode architecture, incentives, and error handling/reporting questions/issues should be resolved before deployment.
TYPOS
Event is missing
indexed
fieldsEach event should use three indexed fields if there are three or more fields.
Use of
block.timestamp
Block timestamps have historically been used for a variety of applications, such as entropy for random numbers, locking funds for periods of time, and various state-changing conditional statements that are time-dependent. Miners have the ability to adjust timestamps slightly, which can prove to be dangerous if block timestamps are used incorrectly in smart contracts.
Require
/revert
should have descriptive reason stringsSet
garbage
value inmapping
for deleting thatIf there is a mapping data structure present inside struct, then deleting the struct doesn't delete the mapping. Instead one should use lock to lock that data structure from further use.
NatSpec
is incompleteMissing event and timelock for critical parameter change
Events help non-contract tools to track changes, and events prevent users from being surprised by changes.