Submission Details
Impact:
Likelihood:
LOW-03: Code Quality and Naming Issues
Root + Impact
Several code quality issues reduce readability and maintainability without directly causing vulnerabilities.
Description
Issue 1: PARTICIPATIONFEEBSPMAX Naming
// @> Not human-readable, missing underscores
uint256 constant PARTICIPATIONFEEBSPMAX = 300;
Recommendation: Use PARTICIPATION_FEE_BPS_MAX for clarity
Issue 2: Typo in Error Name
error limiteExceede(); // Should be "limitExceeded"
Issue 3: TODO Comment in Production Code
_getWinnerShares(); //TODO : check again !
Recommendation: Remove TODO comments before production deployment
Issue 4: Inconsistent Error Handling
Mix of require() with string and custom errors:
// Custom errors (good)
error eventStarted();
error invalidCountry();
// String require (inconsistent)
require(countryIndex < teams.length, "Invalid country index");
require(receiver != address(0));
Issue 5: Missing Zero-Check in cancelParticipation
function cancelParticipation() public {
if (block.timestamp >= eventStartDate) {
revert eventStarted();
}
// @> No check if refundAmount is 0
uint256 refundAmount = stakedAsset[msg.sender];
stakedAsset[msg.sender] = 0;
uint256 shares = balanceOf(msg.sender);
_burn(msg.sender, shares);
IERC20(asset()).safeTransfer(msg.sender, refundAmount);
// Wastes gas if refundAmount is 0
}
Issue 6: Missing Events
No events for:
-
cancelParticipation()- users can't track cancellations -
_setFinallizedVaultBalance()- important state change not logged
Issue 7: external vs public Confusion
// Should be external (only called externally)
function setCountry(string[48] memory countries) public onlyOwner {
Risk
Likelihood: Always present
Impact:
-
Reduced code readability
-
Harder to maintain and audit
-
Minor gas inefficiencies
-
Poor user experience (missing events)
Recommended Mitigation
// Fix 1: Better naming
-uint256 constant PARTICIPATIONFEEBSPMAX = 300;
+uint256 constant PARTICIPATION_FEE_BPS_MAX = 300;
// Fix 2: Fix typo
-error limiteExceede();
+error LimitExceeded();
- if (_participationFeeBsp > PARTICIPATIONFEEBSPMAX) {
- revert limiteExceede();
+ if (_participationFeeBsp > PARTICIPATION_FEE_BPS_MAX) {
+ revert LimitExceeded();
}
// Fix 3: Remove TODO
-_getWinnerShares(); //TODO : check again !
+_getWinnerShares();
// Fix 4: Consistent error handling
-require(countryIndex < teams.length, "Invalid country index");
+if (countryIndex >= teams.length) {
+ revert invalidCountry();
+}
-require(receiver != address(0));
+if (receiver == address(0)) {
+ revert InvalidReceiver();
+}
// Fix 5: Add zero check
function cancelParticipation() public {
if (block.timestamp >= eventStartDate) {
revert eventStarted();
}
uint256 refundAmount = stakedAsset[msg.sender];
+
+ if (refundAmount == 0) {
+ revert noDeposit();
+ }
stakedAsset[msg.sender] = 0;
uint256 shares = balanceOf(msg.sender);
_burn(msg.sender, shares);
IERC20(asset()).safeTransfer(msg.sender, refundAmount);
+
+ emit ParticipationCancelled(msg.sender, refundAmount);
}
// Fix 6: Add events
+event ParticipationCancelled(address indexed user, uint256 amount);
+event VaultBalanceFinalized(uint256 amount);
function _setFinallizedVaultBalance() internal returns (uint256) {
if (block.timestamp <= eventStartDate) {
revert eventNotStarted();
}
- return finalizedVaultAsset = IERC20(asset()).balanceOf(address(this));
+ finalizedVaultAsset = IERC20(asset()).balanceOf(address(this));
+ emit VaultBalanceFinalized(finalizedVaultAsset);
+ return finalizedVaultAsset;
}
// Fix 7: Use external
-function setCountry(string[48] memory countries) public onlyOwner {
+function setCountry(string[48] calldata countries) external onlyOwner {
Rewards breakdown
nSLOC
193This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.