Magic Numbers and Hardcoded Addresses
Summary
There are several instances of numbers used in the code
Vulnerability Details
Several instances with values that are not explained as to where they arise from and why
If the intention is to save gas by not declaring them as state variables, this can be achieved by declaring them as private state variables with sufficient comments
Beedle.sol line 12 _mint(msg.sender, 1_000_000_000 * 1e18);
Lender.sol line 85 if (_fee > 5000) revert FeeTooHigh();
Lender.sol line 93 if (_fee > 500) revert FeeTooHigh();
Lender.sol line 265 uint256 fees = (debt * borrowerFee) / 10000;
Lender.sol line 561, 650,
Lender.sol line 724 interest = (l.interestRate * l.debt * timeElapsed) / 10000 / 365 days;
Fees.sol line 34 fee: 3000,
Hardcoded address Fees.sol line 17 , ISwapRouter(0xE592427A0AEce92De3Edee1F18E0157C05861564);
Impact
Informational: Having such numbers in code is prone to error and leads to readability issues which affect maintainability, usability, interpretability, auditability of code. It becomes difficult to maintain code without proper understanding why these values where used and where they arise from if they are not declared as variables.
Tools Used
Manual Analysis
Recommendations
Consider declaring all instances of those values as private constants as in example below and use them appropriately as replacement in code e.g :
Lender.sol
uint256 private constant MAX_FEE = 5_000; //Declare constant variable max fee
if (_fee > MAX_FEE) revert FeeTooHigh();
Beedle.sol line 12
uint256 private constant MAX_SUPPLY = 1_000_000_000;
_mint(msg.sender, MAX_SUPPLY * 1e18);
Fix all other instances indicated in the links and any other in code as in above examples
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.