DittoETH

Ditto
DeFiFoundryOracle
55,000 USDC
View results
Submission Details
Severity: low
Invalid

Use of assert() instead of require()

Summary

Some contracts use assert() instead of require(). This causes a Panic error on failure and prevents the use of error strings.

Vulnerability Details

In contracts BridgeReth.sol, MarginCallSecondaryFacet.sol and LibAsset.sol is used assert() instead of require() for error handling.

Impact

Between solidity version 0.4.10 and 0.8.0, require() used REVERT (0xfd) opcode which refunded remaining gas on failure while assert() used INVALID (0xfe) opcode which consumed all the supplied gas. After Solidity version 0.8.0, assert() uses revert opcode just like require() but creates a Panic(uint256) error instead of Error(string) created by require(). Also, if the condition is not met, the contract can fail completely.Solidity’s documentation says:

"Assert should only be used to test for internal errors, and to check invariants. Properly functioning code should never create a Panic, not even on invalid external input. If this happens, then there is a bug in your contract which you should fix. Language analysis tools can evaluate your contract to identify the conditions and function calls which will cause a Panic.”

whereas

“The require function either creates an error without any data or an error of type Error(string). It should be used to ensure valid conditions that cannot be detected until execution time. This includes conditions on inputs or return values from calls to external contracts.”

https://docs.soliditylang.org/en/v0.8.1/control-structures.html#error-handling-assert-require-revert-and-exceptions

Also, you can optionally provide a message string for require, but not for assert.

Tools Used

Manual review, VS Code

Recommendations

Use require() with informative error strings instead of assert().

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Gas optimizations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.