diff --git a/reports/report.json b/reports/report.json index eb639334..938507ca 100644 --- a/reports/report.json +++ b/reports/report.json @@ -1,7 +1,7 @@ { "files_summary": { - "total_source_units": 111, - "total_sloc": 3931 + "total_source_units": 112, + "total_sloc": 3954 }, "files_details": { "files_details": [ @@ -67,7 +67,7 @@ }, { "file_path": "src/ContractLocksEther.sol", - "n_sloc": 121 + "n_sloc": 142 }, { "file_path": "src/ContractWithTodo.sol", @@ -209,6 +209,10 @@ "file_path": "src/OnceModifierExample.sol", "n_sloc": 8 }, + { + "file_path": "src/OnlyLibrary.sol", + "n_sloc": 2 + }, { "file_path": "src/OutOfOrderRetryable.sol", "n_sloc": 165 @@ -473,7 +477,7 @@ { "title": "`abi.encodePacked()` should not be used with dynamic types when passing the result to a hash function such as `keccak256()`", "description": "Use `abi.encode()` instead which will pad items to 32 bytes, which will [prevent hash collisions](https://docs.soliditylang.org/en/v0.8.13/abi-spec.html#non-standard-packed-mode) (e.g. `abi.encodePacked(0x123,0x456)` => `0x123456` => `abi.encodePacked(0x1,0x23456)`, but `abi.encode(0x123,0x456)` => `0x0...1230...456`). Unless there is a compelling reason, `abi.encode` should be preferred. If there is only one argument to `abi.encodePacked()` it can often be cast to `bytes()` or `bytes32()` [instead](https://ethereum.stackexchange.com/questions/30912/how-to-compare-strings-in-solidity#answer-82739).\nIf all arguments are strings and or bytes, `bytes.concat()` should be used instead.", - "detector_name": "avoid-abi-encode-packed", + "detector_name": "hash-collision-due-to-abi-encode-packed", "instances": [ { "contract_path": "src/KeccakContract.sol", @@ -498,7 +502,7 @@ { "title": "Using `block.timestamp` for swap deadline offers no protection", "description": "In the PoS model, proposers know well in advance if they will propose one or consecutive blocks ahead of time. In such a scenario, a malicious validator can hold back the transaction and execute it at a more favourable block number.Consider allowing function caller to specify swap deadline input parameter.", - "detector_name": "block-timestamp-deadline", + "detector_name": "block-timestamp-is-weak-deadline", "instances": [ { "contract_path": "src/Trump.sol", @@ -1783,7 +1787,7 @@ { "title": "Functions send eth away from contract but performs no checks on any address.", "description": "Consider introducing checks for `msg.sender` to ensure the recipient of the money is as intended.", - "detector_name": "send-ether-no-checks", + "detector_name": "sends-ether-away-without-checking-address", "instances": [ { "contract_path": "src/CallGraphTests.sol", @@ -1908,9 +1912,9 @@ ] }, { - "title": "Delegatecall made by the function without checks on any adress.", + "title": "Delegatecall made by the function without checks on any address.", "description": "Introduce checks on the address", - "detector_name": "delegate-call-unchecked-address", + "detector_name": "delegate-call-on-unchecked-address", "instances": [ { "contract_path": "src/DelegateCallWithoutAddressCheck.sol", @@ -2706,7 +2710,7 @@ { "title": "`ecrecover` is susceptible to signature malleability", "description": "The `ecrecover` function is susceptible to signature malleability. This means that the same message can be signed in multiple ways, allowing an attacker to change the message signature without invalidating it. This can lead to unexpected behavior in smart contracts, such as the loss of funds or the ability to bypass access control. Consider using OpenZeppelin's ECDSA library instead of the built-in function.", - "detector_name": "ecrecover", + "detector_name": "signature-malleability-due-to-raw-ecrecover", "instances": [ { "contract_path": "src/inheritance/ExtendedInheritance.sol", @@ -2993,12 +2997,6 @@ "src": "32:23", "src_char": "32:23" }, - { - "contract_path": "src/StateVariablesManipulation.sol", - "line_no": 2, - "src": "32:23", - "src_char": "32:23" - }, { "contract_path": "src/TautologyOrContradiction.sol", "line_no": 2, @@ -3082,7 +3080,7 @@ { "title": "Missing checks for `address(0)` when assigning values to address state variables", "description": "Check for `address(0)` when assigning values to address state variables.", - "detector_name": "zero-address-check", + "detector_name": "no-zero-address-check", "instances": [ { "contract_path": "src/ArbitraryTransferFrom.sol", @@ -3534,7 +3532,7 @@ { "title": "Define and use `constant` variables instead of using literals", "description": "If the same constant literal value is used multiple times, create a constant state variable and reference it throughout the contract.", - "detector_name": "constants-instead-of-literals", + "detector_name": "literal-instead-of-constant", "instances": [ { "contract_path": "src/AssertStateChange.sol", @@ -4160,7 +4158,7 @@ { "title": "Empty `require()` / `revert()` statements", "description": "Use descriptive reason strings or custom errors for revert paths.", - "detector_name": "require-with-string", + "detector_name": "require-without-string", "instances": [ { "contract_path": "src/CallGraphTests.sol", @@ -4305,7 +4303,7 @@ { "title": "The `nonReentrant` `modifier` should occur before all other modifiers", "description": "This is a best-practice to protect against reentrancy in other modifiers.", - "detector_name": "non-reentrant-before-others", + "detector_name": "non-reentrant-is-not-before-others", "instances": [ { "contract_path": "src/AdminContract.sol", @@ -4441,6 +4439,12 @@ "src": "32:23", "src_char": "32:23" }, + { + "contract_path": "src/OnlyLibrary.sol", + "line_no": 2, + "src": "32:23", + "src_char": "32:23" + }, { "contract_path": "src/OutOfOrderRetryable.sol", "line_no": 2, @@ -5731,7 +5735,7 @@ { "title": "Boolean equality is not required.", "description": "If `x` is a boolean, there is no need to do `if(x == true)` or `if(x == false)`. Just use `if(x)` and `if(!x)` respectively.", - "detector_name": "boolean-equality", + "detector_name": "redundant-boolean-equality", "instances": [ { "contract_path": "src/BooleanEquality.sol", @@ -6031,7 +6035,7 @@ { "title": "Loop condition contains `state_variable.length` that could be cached outside.", "description": "Cache the lengths of storage arrays if they are used and not modified in for loops.", - "detector_name": "cache-array-length", + "detector_name": "array-length-not-cached", "instances": [ { "contract_path": "src/CacheArrayLength.sol", @@ -6056,7 +6060,7 @@ { "title": "Incorrect use of `assert()`", "description": "Argument to `assert()` modifies the state. Use `require` for invariants modifying state.", - "detector_name": "assert-state-change", + "detector_name": "state-change-in-assert", "instances": [ { "contract_path": "src/AssertStateChange.sol", @@ -7363,18 +7367,18 @@ "delegate-call-in-loop", "centralization-risk", "solmate-safe-transfer-lib", - "avoid-abi-encode-packed", - "ecrecover", + "hash-collision-due-to-abi-encode-packed", + "signature-malleability-due-to-raw-ecrecover", "deprecated-oz-functions", "unsafe-erc20-functions", "unspecific-solidity-pragma", - "zero-address-check", + "no-zero-address-check", "useless-public-function", - "constants-instead-of-literals", + "literal-instead-of-constant", "unindexed-events", - "require-with-string", - "non-reentrant-before-others", - "block-timestamp-deadline", + "require-without-string", + "non-reentrant-is-not-before-others", + "block-timestamp-is-weak-deadline", "unsafe-oz-erc721-mint", "push-zero-opcode", "arbitrary-transfer-from", @@ -7404,8 +7408,8 @@ "state-variable-shadowing", "unchecked-send", "misused-boolean", - "send-ether-no-checks", - "delegate-call-unchecked-address", + "sends-ether-away-without-checking-address", + "delegate-call-on-unchecked-address", "tautological-compare", "rtlo", "unchecked-return", @@ -7420,7 +7424,7 @@ "delete-nested-mapping", "unused-state-variable", "constant-functions-assembly", - "boolean-equality", + "redundant-boolean-equality", "tx-origin-used-for-auth", "msg-value-in-loop", "contract-locks-ether", @@ -7432,8 +7436,8 @@ "out-of-order-retryable", "function-initializing-state", "dead-code", - "cache-array-length", - "assert-state-change", + "array-length-not-cached", + "state-change-in-assert", "costly-operations-inside-loops", "constant-function-changing-state", "builtin-symbol-shadow", diff --git a/reports/report.md b/reports/report.md index 8d6bab37..c30290fb 100644 --- a/reports/report.md +++ b/reports/report.md @@ -30,7 +30,7 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati - [H-20: Unchecked `bool success` value for send call.](#h-20-unchecked-bool-success-value-for-send-call) - [H-21: Misused boolean with logical operators](#h-21-misused-boolean-with-logical-operators) - [H-22: Functions send eth away from contract but performs no checks on any address.](#h-22-functions-send-eth-away-from-contract-but-performs-no-checks-on-any-address) - - [H-23: Delegatecall made by the function without checks on any adress.](#h-23-delegatecall-made-by-the-function-without-checks-on-any-adress) + - [H-23: Delegatecall made by the function without checks on any address.](#h-23-delegatecall-made-by-the-function-without-checks-on-any-address) - [H-24: Tautological comparison.](#h-24-tautological-comparison) - [H-25: RTLO character detected in file. \u{202e}](#h-25-rtlo-character-detected-in-file-u202e) - [H-26: Return value of the function call is not checked.](#h-26-return-value-of-the-function-call-is-not-checked) @@ -104,8 +104,8 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati | Key | Value | | --- | --- | -| .sol Files | 111 | -| Total nSLOC | 3931 | +| .sol Files | 112 | +| Total nSLOC | 3954 | ## Files Details @@ -127,7 +127,7 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati | src/ConstFuncChangeState.sol | 15 | | src/ConstantFuncsAssembly.sol | 26 | | src/ConstantsLiterals.sol | 28 | -| src/ContractLocksEther.sol | 121 | +| src/ContractLocksEther.sol | 142 | | src/ContractWithTodo.sol | 7 | | src/CostlyOperationsInsideLoops.sol | 17 | | src/Counter.sol | 20 | @@ -163,6 +163,7 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati | src/MultipleConstructorSchemes.sol | 10 | | src/MultiplePlaceholders.sol | 14 | | src/OnceModifierExample.sol | 8 | +| src/OnlyLibrary.sol | 2 | | src/OutOfOrderRetryable.sol | 165 | | src/PreDeclaredVarUsage.sol | 9 | | src/PublicVariableReadInExternalContext.sol | 32 | @@ -223,7 +224,7 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati | src/reused_contract_name/ContractB.sol | 7 | | src/uniswap/UniswapV2Swapper.sol | 50 | | src/uniswap/UniswapV3Swapper.sol | 150 | -| **Total** | **3931** | +| **Total** | **3954** | ## Issue Summary @@ -1776,7 +1777,7 @@ Consider introducing checks for `msg.sender` to ensure the recipient of the mone -## H-23: Delegatecall made by the function without checks on any adress. +## H-23: Delegatecall made by the function without checks on any address. Introduce checks on the address @@ -2832,7 +2833,7 @@ ERC20 functions may not behave as expected. For example: return values are not a Consider using a specific version of Solidity in your contracts instead of a wide version. For example, instead of `pragma solidity ^0.8.0;`, use `pragma solidity 0.8.0;` -
36 Found Instances +
35 Found Instances - Found in src/BuiltinSymbolShadow.sol [Line: 2](../tests/contract-playground/src/BuiltinSymbolShadow.sol#L2) @@ -2967,12 +2968,6 @@ Consider using a specific version of Solidity in your contracts instead of a wid pragma solidity ^0.4.0; ``` -- Found in src/StateVariablesManipulation.sol [Line: 2](../tests/contract-playground/src/StateVariablesManipulation.sol#L2) - - ```solidity - pragma solidity ^0.8.0; - ``` - - Found in src/TautologyOrContradiction.sol [Line: 2](../tests/contract-playground/src/TautologyOrContradiction.sol#L2) ```solidity @@ -4318,7 +4313,7 @@ Using `ERC721::_mint()` can mint ERC721 tokens to addresses which don't support Solc compiler version 0.8.20 switches the default target EVM version to Shanghai, which means that the generated bytecode will include PUSH0 opcodes. Be sure to select the appropriate EVM version in case you intend to deploy on a chain other than mainnet like L2 chains that may not support PUSH0, otherwise deployment of your contracts will fail. -
42 Found Instances +
43 Found Instances - Found in src/AdminContract.sol [Line: 2](../tests/contract-playground/src/AdminContract.sol#L2) @@ -4423,6 +4418,12 @@ Solc compiler version 0.8.20 switches the default target EVM version to Shanghai pragma solidity ^0.8.0; ``` +- Found in src/OnlyLibrary.sol [Line: 2](../tests/contract-playground/src/OnlyLibrary.sol#L2) + + ```solidity + pragma solidity ^0.8.0; + ``` + - Found in src/OutOfOrderRetryable.sol [Line: 2](../tests/contract-playground/src/OutOfOrderRetryable.sol#L2) ```solidity