OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Missing NatSpec Documentation + Poor Maintainability

blee

Description

Smart contracts should have comprehensive documentation for better understanding and maintainability.
The contract lacks NatSpec documentation for most functions, parameters, and return values, making it difficult for developers to understand and maintain.

@> function createSellOrder(

address _tokenToSell,

uint256 _amountToSell,

uint256 _priceInUSDC,

uint256 _deadlineDuration

@> ) public returns (uint256) {

// No @dev, @param, @return documentation

}

@> function amendSellOrder(

uint256 _orderId,

uint256 _newAmountToSell,

uint256 _newPriceInUSDC,

uint256 _newDeadlineDuration

@> ) public {

// No documentation explaining the amendment logic

}

Risk

Likelihood:

Every time a developer tries to understand the contract
When integrating with external systems or dApps
During code reviews and security audits

Impact:

Increased development time and potential for misunderstanding
Higher chance of integration errors by external developers
Reduced code quality and maintainability

Proof of Concept

Documentation Gap Analysis: This demonstrates the lack of essential information for developers.

// Current state: No documentation

function buyOrder(uint256 _orderId) public {

// What developers need to know but isn't documented:

// - What happens if order is expired?

// - What are the fee calculations?

// - What tokens get transferred and to whom?

// - What events are emitted?

// - What are the revert conditions?

Missing documentation impacts:

Integration difficulty: dApp developers can't understand function behavior without reading source code
Parameter confusion: No guidance on expected input formats or ranges
Error handling: No documentation of revert conditions or error types
Business logic: Fee calculations and token transfer flows are unclear
Security implications: Developers may not understand access control or state changes

Recommended Mitigation

Solution: Add comprehensive NatSpec documentation to all public functions.

+ /**

+ * @dev Creates a new sell order for the specified token

+ * @param _tokenToSell Address of the ERC20 token to sell (must be in allowlist)

+ * @param _amountToSell Amount of tokens to sell (in token's native decimals)

+ * @param _priceInUSDC Total price in USDC (6 decimals) for the entire amount

+ * @param _deadlineDuration Duration in seconds from now when order expires (max 3 days)

+ * @return orderId The unique identifier for the created order

+ * @notice Seller must approve this contract to spend _amountToSell tokens before calling

+ * @notice Order can be amended or cancelled before expiration or purchase

+ */

function createSellOrder(

address _tokenToSell,

uint256 _amountToSell,

uint256 _priceInUSDC,

uint256 _deadlineDuration

) public returns (uint256) {

+ /**

+ * @dev Purchases an active order, transferring tokens and paying seller/protocol

+ * @param _orderId The unique identifier of the order to purchase

+ * @notice Buyer pays 3% protocol fee + seller amount in USDC

+ * @notice Order must be active and not expired

+ * @notice Buyer receives the full amount of tokens specified in order

+ */

function buyOrder(uint256 _orderId) public {

Why this works:

Clear expectations: Developers understand exactly what functions do and require
Parameter guidance: Detailed parameter descriptions prevent integration errors
Business logic documentation: Fee calculations and token flows are explicitly stated
Usage instructions: @notice tags provide practical guidance for implementation
Tool integration: NatSpec generates automatic documentation for development tools

Complete documentation should include:

All function parameters and return values
Business logic explanations (fees, transfers, state changes)
Revert conditions and error handling
Access control requirements
Event emission details
Usage examples where helpful

Updates

Lead Judging Commences

yeahchibyke Lead Judge 8 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.