Hawk High
First Flight #39
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

[I-2] Missing NatSpec Documentation on Public Interfaces

cosminmarian53

Summary

The LevelOne contract omits NatSpec comments on nearly all public and external functions—including critical entry points like enroll, giveReview, and graduateAndUpgrade.

Vulnerability Details

Solidity NatSpec comments—using tags such as @notice, @dev, @param, and @return—are parsed by the compiler for inclusion in ABI documentation and can be surfaced in wallets, block explorers, and documentation sites. NatSpec also underpins tools like solidity-docgen for automating static documentation generation from code comments.

A few instances:

function addTeacher(address _teacher) public onlyPrincipal notYetInSession {...}// src/LevelOne#L216
...
function enroll() external notYetInSession {...}// src/LevelOne#L153
...
function graduateAndUpgrade(address _levelTwo, bytes memory) public onlyPrincipal {..} // src/LevelOne#L315

Impact

Without NatSpec, developers and users lack in-source guidance about function behavior, parameter expectations, event semantics, and error conditions, making the code harder to review, maintain, and integrate.

Tools Used

  • Manual Review

Recommendations

For each function, include @notice to describe the user-facing behavior, @param tags for each argument, and @return tags for return values. Use @dev to clarify implementation details or side effects, and document events and public state variables similarly.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
yeahchibyke Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.