QA Report #59
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Overview
Table of Contents
abi.encodePacked()
should not be used with dynamic types when passing the result to a hash function such askeccak256()
import "hardhat/console.sol";
shouldn't exist in production coderequire()
should be used for checking error conditions on inputs and return values whileassert()
should be used for invariant checking>= 0.8
: SafeMath1000000000000000000
should be changed to1e18
for readability reasonsstring.concat()
orbytes.concat()
1. Low Risk Issues
1.1. Deprecated approve() function
While
safeApprove()
in itself is deprecated, it is still better thanapprove
which is subject to a known front-running attack and failing for certain token implementations that do not return a boolean value. Consider usingsafeApprove
instead (or better:safeIncreaseAllowance()
/safeDecreaseAllowance()
):1.2.
abi.encodePacked()
should not be used with dynamic types when passing the result to a hash function such askeccak256()
Similar issue in the past: here
Use
abi.encode()
instead which will pad items to 32 bytes, which will prevent hash collisions (e.g.abi.encodePacked(0x123,0x456)
=>0x123456
=>abi.encodePacked(0x1,0x23456)
, butabi.encode(0x123,0x456)
=>0x0...1230...456
). If there is only one argument toabi.encodePacked()
it can often be cast tobytes()
orbytes32()
instead.2. Non-Critical Issues
2.1.
import "hardhat/console.sol";
shouldn't exist in production codePlease delete the following before deploying:
2.2.
require()
should be used for checking error conditions on inputs and return values whileassert()
should be used for invariant checkingProperly functioning code should never reach a failing assert statement, unless there is a bug in your contract you should fix. Here, I believe the assert should be a require or a revert:
As the Solidity version is > 0.8.* the remaining gas would still be refunded in case of failure.
2.3. It's better to emit after all processing is done
2.4. Typos
2.5. Deprecated library used for Solidity
>= 0.8
: SafeMath2.6. Missing friendly revert strings
2.7. Open TODOS
Consider resolving the TODOs before deploying.
2.8.
1000000000000000000
should be changed to1e18
for readability reasons2.9. Use
string.concat()
orbytes.concat()
Solidity version 0.8.4 introduces
bytes.concat()
(vsabi.encodePacked(<bytes>,<bytes>)
)Solidity version 0.8.12 introduces
string.concat()
(vsabi.encodePacked(<str>,<str>)
)2.10. The pragmas used are not the same everywhere
2.11. Non-library/interface files should use fixed compiler versions, not floating ones
The text was updated successfully, but these errors were encountered: