forked from Hats-Protocol/gitcoin-passport-eligibility
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
94 additions
and
41 deletions.
There are no files selected for viewing
67 changes: 67 additions & 0 deletions
67
audit-files/commit-ba4b2663761d1809a0e16b5b716ce376aabc531c/findings.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
### [I-1] GitcoinPassportEligibility::GITCOIN_PASSPORT_DECODER function does not follow the mixedCase naming convention, resulting in potential confusion from code reviewers | ||
|
||
**Description:** All caps naming convention is reserved for constant variables. Although `GitcoinPassportEligibility::GITCOIN_PASSPORT_DECODER` returns an immutable constant value, it is still a function. Thus it should follow the mixedCase naming convention. | ||
|
||
**Impact:** Reduces the understanding and potential interactibility of the protocol, and muddies up automated tool's results.. | ||
|
||
**Proof of Concept:** Patrick Collins, a leader security smart contract auditor and educator follows the mixedCase naming convention. Alongside automated tools like Slither and Aderyn to report instances of functions not being correctly in mixedCase. Newcomers and the majority of developers, auditors, and researchers will follow these conventions. Alongside muddying up the information that is returned from the automated tools. | ||
|
||
**Recommended Mitigation:** Rename `GitcoinPassportEligibility::GITCOIN_PASSPORT_DECODER` to `GitcoinPassportEligibility::gitcoinPassportDecoder` to satisfy the requirement of functions being in mixedCase. | ||
|
||
### [I-2] GitcoinPassportEligibility::SCORE_CRITERION function does not follow the mixedCase naming convention, resulting in potential confusion from code reviewers | ||
|
||
**Description:** All caps naming convention is reserved for constant variables. Although `GitcoinPassportEligibility::SCORE_CRITERION` returns an immutable constant value, it is still a function. Thus it should follow the mixedCase naming convention. | ||
|
||
**Impact:** Reduces the understanding and potential interactibility of the protocol, and muddies up automated tool's results.. | ||
|
||
**Proof of Concept:** Patrick Collins, a leader security smart contract auditor and educator follows the mixedCase naming convention. Alongside automated tools like Slither and Aderyn to report instances of functions not being correctly in mixedCase. Newcomers and the majority of developers, auditors, and researchers will follow these conventions. Alongside muddying up the information that is returned from the automated tools. | ||
|
||
**Recommended Mitigation:** Rename `GitcoinPassportEligibility::SCORE_CRITERION` to `GitcoinPassportEligibility::scoreCriterion` to satisfy the requirement of functions being in mixedCase. | ||
|
||
### [I-3] GitcoinPassportEligibility::getWearerStatus' first parameter, \_wearer, does not follow the mixedCase naming convention, resulting in potential confusion from code reviewers | ||
|
||
**Description:** The underscore naming convention is an outdated practice for function parameters. | ||
|
||
**Impact:** Reduces the understanding and potential interactibility of the protocol, and muddies up automated tool's results. | ||
|
||
**Proof of Concept:** Patrick Collins, a leader security smart contract auditor and educator follows the mixedCase naming convention. Alongside automated tools like Slither and Aderyn to report instances of functions not being correctly in mixedCase. Newcomers and the majority of developers, auditors, and researchers will follow these conventions. Alongside muddying up the information that is returned from the automated tools. | ||
|
||
**Recommended Mitigation:** Rename `GitcoinPassportEligibility::getWearerStatus`' first parameter, `_wearer`, to `wearer` to satisfy the requirement of functions being in mixedCase. | ||
|
||
### [I-4] GitcoinPassportEligibility::isHuman' first parameter, \_wearer, does not follow the mixedCase naming convention, resulting in potential confusion from code reviewers | ||
|
||
**Description:** The underscore naming convention is an outdated practice for function parameters. | ||
|
||
**Impact:** Reduces the understanding and potential interactibility of the protocol, and muddies up automated tool's results. | ||
|
||
**Proof of Concept:** Patrick Collins, a leader security smart contract auditor and educator follows the mixedCase naming convention. Alongside automated tools like Slither and Aderyn to report instances of functions not being correctly in mixedCase. Newcomers and the majority of developers, auditors, and researchers will follow these conventions. Alongside muddying up the information that is returned from the automated tools. | ||
|
||
**Recommended Mitigation:** Rename `GitcoinPassportEligibility::isHuman`' first parameter, `_wearer`, to `wearer` to satisfy the requirement of functions being in mixedCase. | ||
|
||
### [G-1] `GitcoinPassportEligibility::getWearerStatus` does not have the most efficient visibility type. | ||
|
||
**Description:** `GitcoinPassportEligibility::getWearerStatus` is not called within `GitcoinPassportEligibility`, however its visibility is `public`. | ||
|
||
**Impact:** Increases the gas cost of calling the function. | ||
|
||
**Proof of Concept:** We can see that through fuzz testing public and external functions with the same parameters and operations, the external function resulted in costing less gas to call. | ||
|
||
`test_externalFunction(uint256[20]) (runs: 257, μ: 255839, ~: 255839)` | ||
|
||
`test_publicFunction(uint256[20]) (runs: 257, μ: 257286, ~: 257286)` | ||
|
||
**Recommended Mitigation:** Change `GitcoinPassportEligibility::getWearerStatus`'s visibility from `public` to `external`. | ||
|
||
### [G-2] `GitcoinPassportEligibility::isHuman`'s local function calls are not optimized for gas. | ||
|
||
**Description:** `GitcoinPassportEligibility::isHuman` contains several view function calls of the same function. | ||
|
||
**Impact:** Increases the gas cost of calling the function. | ||
|
||
**Proof of Concept:** Optimizing the function reduces the gas costs. | ||
|
||
`test_isHuman() (gas: 282444)` | ||
|
||
`test_isHumanOptimized() (gas: 282363)` | ||
|
||
**Recommended Mitigation:** Store the `GITCOIN_PASSPORT_DECODER` and `SCORE_CRITERION` return values in local variables within the function. |
9 changes: 0 additions & 9 deletions
9
audit-files/commit-ba4b2663761d1809a0e16b5b716ce376aabc531c/findings/finding-1.md
This file was deleted.
Oops, something went wrong.
9 changes: 0 additions & 9 deletions
9
audit-files/commit-ba4b2663761d1809a0e16b5b716ce376aabc531c/findings/finding-2.md
This file was deleted.
Oops, something went wrong.
9 changes: 0 additions & 9 deletions
9
audit-files/commit-ba4b2663761d1809a0e16b5b716ce376aabc531c/findings/finding-3.md
This file was deleted.
Oops, something went wrong.
13 changes: 0 additions & 13 deletions
13
audit-files/commit-ba4b2663761d1809a0e16b5b716ce376aabc531c/findings/finding-4.md
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file modified
BIN
+2.71 KB
(100%)
audit-files/commit-ba4b2663761d1809a0e16b5b716ce376aabc531c/report.pdf
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters