CodeHawks Escrow Contract - Competition Details

Cyfrin

Foundry

40,000 USDC

View results

Previous Next

Submission Details

Severity: gas

Valid

Law risk and Non-critical issue

Dharma

[N‑01] Non-`external`/`public` variable and function names should begin with an underscore

According to the Solidity Style Guide, Non-external/public variable and function names should begin with an underscore

File: /src/Escrow.sol

17: uint256 private immutable i_price;

/// @dev There is a risk that if a malicious token is used, the dispute process could be manipulated.

/// Therefore, careful consideration should be taken when chosing the token.

20: IERC20 private immutable i_tokenContract;

21: address private immutable i_buyer;

22: address private immutable i_seller;

23: address private immutable i_arbiter;

24: uint256 private immutable i_arbiterFee;

26: State private s_state;

[N-02] Long functions should be refactored into multiple, smaller, functions

File: src/EscrowFactory.sol

56: function computeEscrowAddress(

57: bytes memory byteCode,

58: address deployer,

59: uint256 salt,

60: uint256 price,

61: IERC20 tokenContract,

62: address buyer,

63: address seller,

64: address arbiter,

65: uint256 arbiterFee

66: ) public pure returns (address) {

[N-03] Cast is more restrictive than the type of the variable being assigned

If address foo is being used in an expression such as IERC20 token = FooToken(foo), then the more specific cast to FooToken is a waste because the only thing the compiler will check for is that FooToken extends IERC20 - it won't check any of the function signatures. Therefore, it makes more sense to do IERC20 token = IERC20(token) or better yet FooToken token = FooToken(foo). The former may allow the file in which it's used to remove the import for FooToken

File: /src/EscrowFactory.sol

31: uint256(salt),

[N‑04] NatSpec `@param` is missing

File: /src/Escrow.sol

// Missing: @param buyerAward

109: function resolveDispute(uint256 buyerAward) external onlyArbiter nonReentrant inState(State.Disputed) {

File:/src/EscrowFactory.sol

// Missing: @param seller,arbiter.arbiterFee,salt

20: function newEscrow(

21: uint256 price,

22: IERC20 tokenContract,

23: address seller,

24: address arbiter,

25: uint256 arbiterFee,

26: bytes32 salt

// Missing: @param deployer,salt,price,buyer,arbiter,arbiterFee,seller

56: function computeEscrowAddress(

57: bytes memory byteCode,

58: address deployer,

59: uint256 salt,

60: uint256 price,

61: IERC20 tokenContract,

62: address buyer,

63: address seller,

64: address arbiter,

65: uint256 arbiterFee

Prize pool breakdown

Total prize

40,000 USDC

nSLOC

186

215 USDC / LOC

High Medium

37,000 USDC

Low

3,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.