Below is the automated c4audit report on our contracts from the tool here: https://github.com/byterocket/c4udit

c4udit Report

Files analyzed

contracts\AzoriusFreezeGuard.sol
contracts\BaseFreezeVoting.sol
contracts\ERC20FreezeVoting.sol
contracts\FractalModule.sol
contracts\FractalRegistry.sol
contracts\MultisigFreezeGuard.sol
contracts\MultisigFreezeVoting.sol
contracts\TokenClaim.sol
contracts\VotesToken.sol
contracts\azorius\Azorius.sol
contracts\azorius\BaseQuorumPercent.sol
contracts\azorius\BaseStrategy.sol
contracts\azorius\BaseTokenVoting.sol
contracts\azorius\LinearTokenVoting.sol
contracts\azorius\interfaces\IAzorius.sol
contracts\azorius\interfaces\IBaseStrategy.sol
contracts\interfaces\IBaseFreezeVoting.sol
contracts\interfaces\ICallbackGnosis.sol
contracts\interfaces\IFractalModule.sol
contracts\interfaces\IFractalRegistry.sol
contracts\interfaces\IGnosisSafe.sol
contracts\interfaces\IMultisigFreezeGuard.sol
contracts\interfaces\ITokenClaim.sol

Issues found

Don't Initialize Variables with Default Value

Impact

Issue Information: G001

Findings:

contracts\VotesToken.sol::34 => for (uint256 i = 0; i < _hodlers.length; i++) {
contracts\azorius\Azorius.sol::129 => for (uint256 i = 0; i < _transactions.length; i++) {
contracts\azorius\Azorius.sol::207 => for (uint256 i = 0; i < _targets.length; i++) {
contracts\azorius\Azorius.sol::231 => for (uint256 i = 0; i < _strategies.length; i++) {
contracts\azorius\Azorius.sol::272 => uint256 strategyCount = 0;

Tools used

c4udit

Cache Array Length Outside of Loop

Impact

Issue Information: G002

Findings:

contracts\FractalModule.sol::55 => uint256 controllersLength = _controllers.length;
contracts\FractalModule.sol::70 => uint256 controllersLength = _controllers.length;
contracts\VotesToken.sol::34 => for (uint256 i = 0; i < _hodlers.length; i++) {
contracts\azorius\Azorius.sol::124 => if (_transactions.length == 0) revert InvalidProposal();
contracts\azorius\Azorius.sol::128 => bytes32[] memory txHashes = new bytes32[](_transactions.length);
contracts\azorius\Azorius.sol::129 => for (uint256 i = 0; i < _transactions.length; i++) {
contracts\azorius\Azorius.sol::197 => if (_targets.length == 0) revert InvalidTxs();
contracts\azorius\Azorius.sol::199 => _targets.length != _values.length ||
contracts\azorius\Azorius.sol::200 => _targets.length != _data.length ||
contracts\azorius\Azorius.sol::201 => _targets.length != _operations.length
contracts\azorius\Azorius.sol::204 => proposals[_proposalId].executionCounter + _targets.length >
contracts\azorius\Azorius.sol::205 => proposals[_proposalId].txHashes.length
contracts\azorius\Azorius.sol::207 => for (uint256 i = 0; i < _targets.length; i++) {
contracts\azorius\Azorius.sol::218 => proposals[_proposalId].executionCounter + _targets.length
contracts\azorius\Azorius.sol::231 => for (uint256 i = 0; i < _strategies.length; i++) {
contracts\azorius\Azorius.sol::311 => } else if (_proposal.executionCounter == _proposal.txHashes.length) {

Tools used

c4udit

Use immutable for OpenZeppelin AccessControl's Roles Declarations

Impact

Issue Information: G006

Findings:

contracts\MultisigFreezeGuard.sol::135 => keccak256(gnosisTransactionHash),
contracts\MultisigFreezeGuard.sol::272 => keccak256(
contracts\MultisigFreezeGuard.sol::276 => keccak256(data),
contracts\azorius\Azorius.sol::334 => bytes32 domainSeparator = keccak256(
contracts\azorius\Azorius.sol::337 => bytes32 transactionHash = keccak256(
contracts\azorius\Azorius.sol::342 => keccak256(_data),
contracts\azorius\Azorius.sol::368 => return keccak256(generateTxHashData(_to, _value, _data, _operation, 0));
contracts\azorius\interfaces\IAzorius.sol::194 => * Returns the keccak256 hash of the specified transaction.

Tools used

c4udit

Long Revert Strings

Impact

Issue Information: G007

Findings:

contracts\AzoriusFreezeGuard.sol::4 => import "./interfaces/IBaseFreezeVoting.sol";
contracts\AzoriusFreezeGuard.sol::5 => import "@gnosis.pm/zodiac/contracts/interfaces/IGuard.sol";
contracts\AzoriusFreezeGuard.sol::6 => import "@gnosis.pm/zodiac/contracts/factory/FactoryFriendly.sol";
contracts\AzoriusFreezeGuard.sol::7 => import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";
contracts\AzoriusFreezeGuard.sol::8 => import "@gnosis.pm/zodiac/contracts/guard/BaseGuard.sol";
contracts\BaseFreezeVoting.sol::4 => import "@gnosis.pm/zodiac/contracts/factory/FactoryFriendly.sol";
contracts\BaseFreezeVoting.sol::5 => import "./interfaces/IBaseFreezeVoting.sol";
contracts\ERC20FreezeVoting.sol::5 => import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";
contracts\ERC20FreezeVoting.sol::6 => import "@openzeppelin/contracts/governance/utils/IVotes.sol";
contracts\FractalModule.sol::4 => import "@gnosis.pm/zodiac/contracts/core/Module.sol";
contracts\FractalRegistry.sol::4 => import "./interfaces/IFractalRegistry.sol";
contracts\MultisigFreezeGuard.sol::4 => import "./interfaces/IMultisigFreezeGuard.sol";
contracts\MultisigFreezeGuard.sol::5 => import "./interfaces/IBaseFreezeVoting.sol";
contracts\MultisigFreezeGuard.sol::7 => import "@gnosis.pm/zodiac/contracts/interfaces/IGuard.sol";
contracts\MultisigFreezeGuard.sol::8 => import "@gnosis.pm/zodiac/contracts/factory/FactoryFriendly.sol";
contracts\MultisigFreezeGuard.sol::9 => import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";
contracts\MultisigFreezeGuard.sol::10 => import "@gnosis.pm/zodiac/contracts/guard/BaseGuard.sol";
contracts\TokenClaim.sol::6 => import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
contracts\VotesToken.sol::4 => import "@gnosis.pm/zodiac/contracts/factory/FactoryFriendly.sol";
contracts\VotesToken.sol::5 => import "@openzeppelin/contracts/utils/introspection/ERC165Storage.sol";
contracts\VotesToken.sol::6 => import "@openzeppelin/contracts-upgradeable/token/ERC20/IERC20Upgradeable.sol";
contracts\VotesToken.sol::7 => import "@openzeppelin/contracts-upgradeable/token/ERC20/extensions/ERC20VotesUpgradeable.sol";
contracts\VotesToken.sol::8 => import "@openzeppelin/contracts-upgradeable/token/ERC20/extensions/ERC20SnapshotUpgradeable.sol";
contracts\azorius\Azorius.sol::4 => import "@gnosis.pm/zodiac/contracts/core/Module.sol";
contracts\azorius\BaseQuorumPercent.sol::4 => import "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
contracts\azorius\BaseStrategy.sol::6 => import "@gnosis.pm/zodiac/contracts/factory/FactoryFriendly.sol";
contracts\azorius\BaseStrategy.sol::7 => import "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
contracts\azorius\LinearTokenVoting.sol::4 => import "@openzeppelin/contracts/token/ERC20/extensions/ERC20Votes.sol";
contracts\azorius\interfaces\IAzorius.sol::4 => import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";
contracts\interfaces\IBaseFreezeVoting.sol::4 => import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";
contracts\interfaces\ICallbackGnosis.sol::4 => import "@gnosis.pm/safe-contracts/contracts/proxies/IProxyCreationCallback.sol";
contracts\interfaces\IFractalModule.sol::4 => import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";
contracts\interfaces\IFractalModule.sol::5 => import "@openzeppelin/contracts/utils/introspection/IERC165.sol";
contracts\interfaces\IGnosisSafe.sol::4 => import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";
contracts\interfaces\IMultisigFreezeGuard.sol::4 => import "@gnosis.pm/safe-contracts/contracts/common/Enum.sol";

Tools used

c4udit

Unsafe ERC20 Operation(s)

Impact

Issue Information: L001

Findings:

contracts\TokenClaim.sol::51 => IERC20(_childToken).transferFrom(_childTokenFunder, address(this), _parentAllocation);

Tools used

c4udit

Unspecific Compiler Version Pragma

Impact

Issue Information: L003

Findings:

contracts\AzoriusFreezeGuard.sol::2 => pragma solidity ^0.8.0;
contracts\BaseFreezeVoting.sol::2 => pragma solidity ^0.8.0;
contracts\ERC20FreezeVoting.sol::2 => pragma solidity ^0.8.0;
contracts\FractalModule.sol::2 => pragma solidity ^0.8.0;
contracts\FractalRegistry.sol::2 => pragma solidity ^0.8.0;
contracts\MultisigFreezeGuard.sol::2 => pragma solidity ^0.8.0;
contracts\MultisigFreezeVoting.sol::2 => pragma solidity ^0.8.0;
contracts\TokenClaim.sol::2 => pragma solidity ^0.8.0;
contracts\VotesToken.sol::2 => pragma solidity ^0.8.0;
contracts\azorius\Azorius.sol::2 => pragma solidity ^0.8.0;
contracts\azorius\BaseQuorumPercent.sol::2 => pragma solidity ^0.8.0;
contracts\azorius\BaseStrategy.sol::2 => pragma solidity ^0.8.0;
contracts\azorius\BaseTokenVoting.sol::2 => pragma solidity ^0.8.0;
contracts\azorius\LinearTokenVoting.sol::2 => pragma solidity ^0.8.0;
contracts\azorius\interfaces\IAzorius.sol::2 => pragma solidity ^0.8.0;
contracts\azorius\interfaces\IBaseStrategy.sol::2 => pragma solidity ^0.8.0;
contracts\interfaces\IBaseFreezeVoting.sol::2 => pragma solidity ^0.8.0;
contracts\interfaces\ICallbackGnosis.sol::2 => pragma solidity ^0.8.0;
contracts\interfaces\IFractalModule.sol::2 => pragma solidity ^0.8.0;
contracts\interfaces\IFractalRegistry.sol::2 => pragma solidity ^0.8.0;
contracts\interfaces\IGnosisSafe.sol::2 => pragma solidity ^0.8.0;
contracts\interfaces\IMultisigFreezeGuard.sol::2 => pragma solidity ^0.8.0;
contracts\interfaces\ITokenClaim.sol::2 => pragma solidity ^0.8.0;

Tools used

c4udit

decentdao / decent-contracts

c4udit automated report #38

c4udit Report

Files analyzed

Issues found

Don't Initialize Variables with Default Value

Impact

Findings:

Tools used

Cache Array Length Outside of Loop

Impact

Findings:

Tools used

Use immutable for OpenZeppelin AccessControl's Roles Declarations

Impact

Findings:

Tools used

Long Revert Strings

Impact

Findings:

Tools used

Unsafe ERC20 Operation(s)

Impact

Findings:

Tools used

Unspecific Compiler Version Pragma

Impact

Findings:

Tools used