Some contracts use assert()
instead of require()
. This causes a Panic error on failure and prevents the use of error strings.
In contracts BridgeReth.sol
, MarginCallSecondaryFacet.sol
and LibAsset.sol
is used assert()
instead of require()
for error handling.
Between solidity version 0.4.10 and 0.8.0, require()
used REVERT
(0xfd) opcode which refunded remaining gas on failure while assert()
used INVALID
(0xfe) opcode which consumed all the supplied gas. After Solidity version 0.8.0, assert()
uses revert opcode just like require()
but creates a Panic(uint256)
error instead of Error(string)
created by require()
. Also, if the condition is not met, the contract can fail completely.Solidity’s documentation says:
"Assert should only be used to test for internal errors, and to check invariants. Properly functioning code should never create a Panic, not even on invalid external input. If this happens, then there is a bug in your contract which you should fix. Language analysis tools can evaluate your contract to identify the conditions and function calls which will cause a Panic.”
whereas
“The require function either creates an error without any data or an error of type Error(string). It should be used to ensure valid conditions that cannot be detected until execution time. This includes conditions on inputs or return values from calls to external contracts.”
https://docs.soliditylang.org/en/v0.8.1/control-structures.html#error-handling-assert-require-revert-and-exceptions
Also, you can optionally provide a message string for require, but not for assert.
Manual review, VS Code
Use require()
with informative error strings instead of assert()
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.