Submission Details
Impact:
Likelihood:
Informational / Suggestions
General Recommendations & Next Steps
| # | Action | Details |
|---|---|---|
| 1 | Prioritize fixes | F‑001 (block withdrawals) → F‑002 (atomic deposit/join) → F‑003/F‑004 (accounting/invariants) → F‑005 (gas/participants) |
| 2 | Tests | Add thorough unit and integration tests covering timing edge cases, reentrancy scenarios, and expected failure modes. |
| 3 | Messages & Events | Add clear, explicit revert messages and events for major state transitions (joined, cancelled, winnerSet, fundsWithdrawn). |
| 4 | Emergency recovery | Consider a short, time‑limited emergency recovery mechanism (with governance constraints) only if unavoidable, and document trust assumptions. |
| 5 | Follow-up audit | Perform a follow-up audit after the fixes and before any production deployment. |
| Issue | Description | Example | Recommendation |
|---|---|---|---|
| 6. Floating Pragma | The contract uses a floating pragma ^0.8.24. This allows it to be compiled with newer versions, which could introduce unexpected breaking changes or compiler-specific bugs. | pragma solidity ^0.8.24; is less predictable than a locked pragma. |
Lock the pragma to the specific version: pragma solidity 0.8.24; |
| 7. Unused Variables | The state variable totalAssetsShares is declared but never written to or read from, wasting deployment gas. The variable totalParticipantShares is updated but never used and is incorrectly calculated (see Finding 3). | uint256 public totalAssetsShares; is unused. |
Remove the unused state variables to reduce contract deployment cost and complexity. |
| 8. Inefficient Division | The _convertToShares function uses Math.mulDiv. While correct, standard ERC4626 implementations often use Math.mulDiv(..., Math.Rounding.Down) or similar methods to ensure that the ratio calculation doesn't lead to issues with the standard preview functions. The current implementation is safe but should be consistent with the ERC4626 standard for precision. | If Math's default rounding is down, it should be explicitly stated for clarity and consistency with ERC4626. | For clarity, use OpenZeppelin's Math.mulDivDown if available, or comment on the rounding behavior. |
| 9. Redundant keccak256 | In the withdraw function, the comparison of strings using keccak256 is unnecessarily complex when the simpler equality check userToCountry[msg.sender] == winner would suffice, assuming no state corruption. | keccak256(abi.encodePacked(userToCountry[msg.sender])) != keccak256(abi.encodePacked(winner)) |
Use simple string comparison if possible, or store the winner's index (winnerCountryId) in a user mapping for efficient comparison of indices (userCountryId[msg.sender] == winnerCountryId;). |
Rewards breakdown
nSLOC
193This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.