c4udit Report

Files analyzed

../2022-10-3xcalibur/contracts/Core/SwapFactory.sol
../2022-10-3xcalibur/contracts/Core/SwapPair.sol
../2022-10-3xcalibur/contracts/periphery/Bribe.sol
../2022-10-3xcalibur/contracts/periphery/Gauge.sol
../2022-10-3xcalibur/contracts/periphery/Minter.sol
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol
../2022-10-3xcalibur/contracts/periphery/Voter.sol
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol

Issues found

Don't Initialize Variables with Default Value

Impact

Issue Information: G001

Findings:

../2022-10-3xcalibur/contracts/Core/SwapPair.sol::268 => for (uint i = 0; i < _prices.length; i++) {
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::284 => uint nextIndex = 0;
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::285 => uint index = 0;
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::400 => for (uint i = 0; i < 255; i++) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::108 => uint lower = 0;
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::140 => uint lower = 0;
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::172 => uint lower = 0;
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::235 => for (uint i = 0; i < tokens.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::251 => for (uint i = 0; i < tokens.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::370 => uint reward = 0;
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::162 => uint lower = 0;
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::194 => uint lower = 0;
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::226 => uint lower = 0;
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::299 => for (uint i = 0; i < tokens.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::434 => uint reward = 0;
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::494 => uint tokenId = 0;
../2022-10-3xcalibur/contracts/periphery/Minter.sol::74 => // for (uint i = 0; i < claimants.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::45 => for (uint i = 0; i < length; ++i) {
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::58 => for (uint i = 0; i < length; ++i) {
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::73 => uint weightSum = 0;
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::75 => for (uint i = 0; i < length; ++i) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::99 => // for (uint i = 0; i < _tokens.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::150 => for (uint i = 0; i < _gaugeVoteCnt; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::179 => for (uint i = 0; i < _gaugeCnt; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::194 => for (uint i = 0; i < _gaugeCnt; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::198 => for (uint i = 0; i < _gaugeCnt; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::309 => for (uint i = 0; i < _gauges.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::352 => for (uint i = 0; i < _gauges.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::363 => for (uint i = 0; i < _bribes.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::374 => for (uint i = 0; i < _fees.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::382 => for (uint i = 0; i < _gauges.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::415 => for (uint x = 0; x < _gauges.length; x++) {
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::525 => for (uint i = 0; i < 255; ++i) {
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::817 => for (uint i = 0; i < 128; ++i) {
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::887 => for (uint i = 0; i < 128; ++i) {
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::939 => for (uint i = 0; i < 255; ++i) {
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::983 => uint dt = 0;

Tools used

c4udit

Cache Array Length Outside of Loop

Impact

Issue Information: G002

Findings:

../2022-10-3xcalibur/contracts/Core/SwapFactory.sol::44 => return allPairs.length;
../2022-10-3xcalibur/contracts/Core/SwapFactory.sol::92 => emit PairCreated(token0, token1, stable, pair, allPairs.length);
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::121 => return observations.length;
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::125 => return observations[observations.length-1];
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::255 => _observation = observations[observations.length-2];
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::268 => for (uint i = 0; i < _prices.length; i++) {
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::282 => uint length = observations.length-1;
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::283 => uint i = length - (points * window);
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::287 => for (; i < length; i+=window) {
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::358 => if (data.length > 0) ISwapCallee(to).hook(msg.sender, amount0Out, amount1Out, data); // callback, used for flash loans
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::538 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::541 => require(success && (data.length == 0 || abi.decode(data, (bool))));
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::224 => return rewards.length;
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::235 => for (uint i = 0; i < tokens.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::251 => for (uint i = 0; i < tokens.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::313 => uint length = rewards.length;
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::314 => for (uint i; i < length; i++) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::427 => require(rewards.length < MAX_REWARD_TOKENS, "too many rewards tokens");
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::454 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::457 => require(success && (data.length == 0 || abi.decode(data, (bool))));
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::461 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::464 => require(success && (data.length == 0 || abi.decode(data, (bool))));
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::278 => return rewards.length;
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::299 => for (uint i = 0; i < tokens.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::377 => uint length = rewards.length;
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::378 => for (uint i; i < length; i++) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::540 => require(rewards.length < MAX_REWARD_TOKENS, "too many rewards tokens");
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::567 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::570 => require(success && (data.length == 0 || abi.decode(data, (bool))));
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::574 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::577 => require(success && (data.length == 0 || abi.decode(data, (bool))));
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::581 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::584 => require(success && (data.length == 0 || abi.decode(data, (bool))));
../2022-10-3xcalibur/contracts/periphery/Minter.sol::74 => // for (uint i = 0; i < claimants.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::35 => uint length = _swapData.length;
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::37 => require(length > 1 && length <= 5 && _weights.length == length, "length");
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::40 => uint[] memory amountsOut = new uint[](length);
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::45 => for (uint i = 0; i < length; ++i) {
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::50 => amountsOut[i] = out[out.length - 1];
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::58 => for (uint i = 0; i < length; ++i) {
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::62 => amountsOut[i] = out[out.length - 1];
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::74 => uint length = _weights.length;
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::75 => for (uint i = 0; i < length; ++i) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::99 => // for (uint i = 0; i < _tokens.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::148 => uint _gaugeVoteCnt = _gaugeVote.length;
../2022-10-3xcalibur/contracts/periphery/Voter.sol::176 => uint _gaugeCnt = _gaugeVote.length;
../2022-10-3xcalibur/contracts/periphery/Voter.sol::188 => uint _gaugeCnt = _gaugeVote.length;
../2022-10-3xcalibur/contracts/periphery/Voter.sol::230 => require(_gaugeVote.length == _weights.length);
../2022-10-3xcalibur/contracts/periphery/Voter.sol::293 => function length() external view returns (uint) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::294 => return allGauges.length;
../2022-10-3xcalibur/contracts/periphery/Voter.sol::309 => for (uint i = 0; i < _gauges.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::321 => updateForRange(0, allGauges.length);
../2022-10-3xcalibur/contracts/periphery/Voter.sol::352 => for (uint i = 0; i < _gauges.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::363 => for (uint i = 0; i < _bribes.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::374 => for (uint i = 0; i < _fees.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::382 => for (uint i = 0; i < _gauges.length; i++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::401 => distribute(0, allGauges.length);
../2022-10-3xcalibur/contracts/periphery/Voter.sol::405 => distribute(0, allGauges.length);
../2022-10-3xcalibur/contracts/periphery/Voter.sol::415 => for (uint x = 0; x < _gauges.length; x++) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::434 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Voter.sol::437 => require(success && (data.length == 0 || abi.decode(data, (bool))));

Tools used

c4udit

Use != 0 instead of > 0 for Unsigned Integer Comparison

Impact

Issue Information: G003

Findings:

../2022-10-3xcalibur/contracts/Core/SwapPair.sol::143 => if (claimed0 > 0 || claimed1 > 0) {
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::161 => if (_ratio > 0) {
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::175 => if (_ratio > 0) {
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::185 => if (_supplied > 0) {
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::194 => if (_delta0 > 0) {
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::198 => if (_delta1 > 0) {
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::218 => if (timeElapsed > 0 && _reserve0 != 0 && _reserve1 != 0) {
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::314 => require(liquidity > 0, 'ILM'); // SwapPair: INSUFFICIENT_LIQUIDITY_MINTED
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::333 => require(amount0 > 0 && amount1 > 0, 'ILB'); // SwapPair: INSUFFICIENT_LIQUIDITY_BURNED
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::347 => require(amount0Out > 0 || amount1Out > 0, 'IOA'); // SwapPair: INSUFFICIENT_OUTPUT_AMOUNT
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::356 => if (amount0Out > 0) _safeTransfer(_token0, to, amount0Out); // optimistically transfer tokens
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::357 => if (amount1Out > 0) _safeTransfer(_token1, to, amount1Out); // optimistically transfer tokens
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::358 => if (data.length > 0) ISwapCallee(to).hook(msg.sender, amount0Out, amount1Out, data); // callback, used for flash loans
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::364 => require(amount0In > 0 || amount1In > 0, 'IIA'); // SwapPair: INSUFFICIENT_INPUT_AMOUNT
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::367 => if (amount0In > 0) _update0(amount0In * fee / 1e6); // accrue fees for token0 and move them out of pool
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::368 => if (amount1In > 0) _update1(amount1In * fee / 1e6); // accrue fees for token1 and move them out of pool
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::538 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::192 => if (_nCheckPoints > 0 && checkpoints[tokenId][_nCheckPoints - 1].timestamp == _timestamp) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::203 => if (_nCheckPoints > 0 && rewardPerTokenCheckpoints[token][_nCheckPoints - 1].timestamp == timestamp) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::215 => if (_nCheckPoints > 0 && supplyCheckpoints[_nCheckPoints - 1].timestamp == _timestamp) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::241 => if (_reward > 0) _safeTransfer(tokens[i], msg.sender, _reward);
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::257 => if (_reward > 0) _safeTransfer(tokens[i], _owner, _reward);
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::291 => if (sp0.supply > 0) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::335 => if (_endIndex > 0) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::338 => if (sp0.supply > 0) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::350 => if (sp.supply > 0) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::372 => if (_endIndex > 0) {
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::424 => require(amount > 0);
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::445 => require(rewardRate[token] > 0);
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::454 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::461 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::116 => if (claimed0 > 0 || claimed1 > 0) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::120 => if (_fees0 > IBribe(bribe).left(_token0) && _fees0 / DURATION > 0) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::127 => if (_fees1 > IBribe(bribe).left(_token1) && _fees1 / DURATION > 0) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::246 => if (_nCheckPoints > 0 && checkpoints[account][_nCheckPoints - 1].timestamp == _timestamp) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::257 => if (_nCheckPoints > 0 && rewardPerTokenCheckpoints[token][_nCheckPoints - 1].timestamp == timestamp) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::269 => if (_nCheckPoints > 0 && supplyCheckpoints[_nCheckPoints - 1].timestamp == _timestamp) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::305 => if (_reward > 0) _safeTransfer(tokens[i], account, _reward);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::353 => if (sp0.supply > 0) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::399 => if (_endIndex > 0) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::402 => if (sp0.supply > 0) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::413 => if (sp.supply > 0) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::436 => if (_endIndex > 0) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::458 => require(amount > 0);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::465 => if (tokenId > 0) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::508 => if (tokenId > 0) {
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::537 => require(amount > 0);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::558 => require(rewardRate[token] > 0);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::567 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::574 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::581 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::44 => require(msg.value > 0, "no ETH sent");
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::54 => require(_amount > 0, "no tokens sent");
../2022-10-3xcalibur/contracts/periphery/Voter.sol::157 => if (_votes > 0) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::216 => if (_usedWeight > 0) IVotingEscrow(_ve).voting(_tokenId);
../2022-10-3xcalibur/contracts/periphery/Voter.sol::273 => if (tokenId > 0) IVotingEscrow(_ve).attach(tokenId);
../2022-10-3xcalibur/contracts/periphery/Voter.sol::284 => if (tokenId > 0) IVotingEscrow(_ve).detach(tokenId);
../2022-10-3xcalibur/contracts/periphery/Voter.sol::302 => if (_ratio > 0) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::332 => if (_supplied > 0) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::337 => if (_delta > 0) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::393 => if (_claimable > IGauge(_gauge).left(base) && _claimable / DURATION > 0) {
../2022-10-3xcalibur/contracts/periphery/Voter.sol::434 => require(token.code.length > 0);
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::352 => return size > 0;
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::484 => if (old_locked.end > block.timestamp && old_locked.amount > 0) {
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::488 => if (new_locked.end > block.timestamp && new_locked.amount > 0) {
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::507 => if (_epoch > 0) {
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::635 => // value == 0 (extend lock) or value > 0 (add to lock or extend lock)
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::707 => require(_value > 0); // dev: need non-zero value
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::708 => require(_locked.amount > 0, 'No existing lock found');
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::720 => require(_value > 0); // dev: need non-zero value
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::754 => assert(_value > 0); // dev: need non-zero value
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::755 => require(_locked.amount > 0, 'No existing lock found');
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::770 => require(_locked.amount > 0, 'Nothing is locked');

Tools used

c4udit

Use immutable for OpenZeppelin AccessControl's Roles Declarations

Impact

Issue Information: G006

Findings:

../2022-10-3xcalibur/contracts/Core/SwapFactory.sol::73 => return keccak256(type(SwapPair).creationCode);
../2022-10-3xcalibur/contracts/Core/SwapFactory.sol::85 => bytes32 salt = keccak256(abi.encodePacked(token0, token1, stable)); // notice salt includes stable as well, 3 parameters
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::28 => // keccak256("Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)");
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::484 => DOMAIN_SEPARATOR = keccak256(
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::486 => keccak256('EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)'),
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::487 => keccak256(bytes(name)),
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::488 => keccak256('1'),
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::493 => bytes32 digest = keccak256(
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::497 => keccak256(abi.encode(PERMIT_TYPEHASH, owner, spender, value, nonces[owner]++, deadline))
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::362 => ///      the return value is not `bytes4(keccak256("onERC721Received(address,address,uint,bytes)"))`.
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::394 => ///      the return value is not `bytes4(keccak256("onERC721Received(address,address,uint,bytes)"))`.

Tools used

c4udit

Long Revert Strings

Impact

Issue Information: G007

Findings:

../2022-10-3xcalibur/contracts/Core/SwapFactory.sol::34 => "SwapFactory: zero address provided in constructor"
../2022-10-3xcalibur/contracts/Core/SwapFactory.sol::68 => require(msg.sender == admin && _admin != address(0), "SwapFactory; wrong input parameters");
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::9 => import "./interfaces/callback/ISwapCallee.sol";
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::28 => // keccak256("Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)");
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::98 => name = string(abi.encodePacked("Stable Pair - ", cIERC20(_token0).symbol(), "/", cIERC20(_token1).symbol()));
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::99 => symbol = string(abi.encodePacked("sAMM-", cIERC20(_token0).symbol(), "/", cIERC20(_token1).symbol()));
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::101 => name = string(abi.encodePacked("Variable Pair - ", cIERC20(_token0).symbol(), "/", cIERC20(_token1).symbol()));
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::102 => symbol = string(abi.encodePacked("vAMM-", cIERC20(_token0).symbol(), "/", cIERC20(_token1).symbol()));
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::426 => require(IVoter(voter).isBribe(address(this), token), "rewards tokens must be whitelisted");
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::8 => import "../core/interfaces/ISwapFactory.sol";
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::90 => "Gauge: zero address provided in constructor"
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::539 => require(IVoter(voter).isReward(address(this), token), "rewards tokens must be whitelisted");
../2022-10-3xcalibur/contracts/periphery/Minter.sol::52 => "Minter: zero address provided in constructor"
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::5 => import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::14 => "Multiswap: zero address provided in constructor"
../2022-10-3xcalibur/contracts/periphery/Voter.sol::11 => import "../core/interfaces/ISwapFactory.sol";
../2022-10-3xcalibur/contracts/periphery/Voter.sol::74 => "Voter: zero address provided in constructor"
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::122 => "VotingEscrow: zero address provided in constructor"
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::362 => ///      the return value is not `bytes4(keccak256("onERC721Received(address,address,uint,bytes)"))`.
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::394 => ///      the return value is not `bytes4(keccak256("onERC721Received(address,address,uint,bytes)"))`.
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::999 => output = '<svg xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMinYMin meet" viewBox="0 0 350 350"><style>.base { fill: white; font-family: serif; font-size: 14px; }</style><rect width="100%" height="100%" fill="black" /><text x="10" y="20" class="base">';
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::1000 => output = string(abi.encodePacked(output, "token ", toString(_tokenId), '</text><text x="10" y="40" class="base">'));
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::1001 => output = string(abi.encodePacked(output, "balanceOf ", toString(_balanceOf), '</text><text x="10" y="60" class="base">'));
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::1002 => output = string(abi.encodePacked(output, "locked_end ", toString(_locked_end), '</text><text x="10" y="80" class="base">'));
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::1005 => string memory json = Base64.encode(bytes(string(abi.encodePacked('{"name": "lock #', toString(_tokenId), '", "description": "3xcalibur locks, can be used to boost gauge yields, vote on token emission, and receive bribes", "image": "data:image/svg+xml;base64,', Base64.encode(bytes(output)), '"}'))));

Tools used

c4udit

Use Shift Right/Left instead of Division/Multiplication if possible

Impact

Issue Information: G008

Findings:

../2022-10-3xcalibur/contracts/Core/SwapFactory.sol::38 => fee[false] = 2700; // 0.27% for vaiable swaps (hundredth of a basis point / 2700/1000000)
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::111 => uint center = upper - (upper - lower) / 2; // ceil, avoiding overflow
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::143 => uint center = upper - (upper - lower) / 2; // ceil, avoiding overflow
../2022-10-3xcalibur/contracts/periphery/Bribe.sol::175 => uint center = upper - (upper - lower) / 2; // ceil, avoiding overflow
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::165 => uint center = upper - (upper - lower) / 2; // ceil, avoiding overflow
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::197 => uint center = upper - (upper - lower) / 2; // ceil, avoiding overflow
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::229 => uint center = upper - (upper - lower) / 2; // ceil, avoiding overflow
../2022-10-3xcalibur/contracts/periphery/Minter.sol::16 => uint internal constant target_base = 10000; // 2% per week target emission
../2022-10-3xcalibur/contracts/periphery/Minter.sol::27 => uint internal constant lock = 86400 * 7 * 52 * 4;
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::822 => uint _mid = (_min + _max + 1) / 2;
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::892 => uint _mid = (_min + _max + 1) / 2;
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::999 => output = '<svg xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMinYMin meet" viewBox="0 0 350 350"><style>.base { fill: white; font-family: serif; font-size: 14px; }</style><rect width="100%" height="100%" fill="black" /><text x="10" y="20" class="base">';

Tools used

c4udit

Unsafe ERC20 Operation(s)

Impact

Issue Information: L001

Findings:

../2022-10-3xcalibur/contracts/periphery/Minter.sol::73 => // _token.approve(address(_ve), type(uint).max);
../2022-10-3xcalibur/contracts/periphery/Minter.sol::136 => require(_token.transfer(address(_ve_dist), _growth), "growth transfer failed");
../2022-10-3xcalibur/contracts/periphery/Minter.sol::141 => _token.approve(address(_voter), weekly);
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::55 => (bool transferFromSuccess) = IERC20(_token).transferFrom(msg.sender, address(this), _amount);
../2022-10-3xcalibur/contracts/periphery/Multiswap.sol::57 => IERC20(_token).approve(router, _amount);
../2022-10-3xcalibur/contracts/periphery/Voter.sol::254 => IERC20(base).approve(_gauge, type(uint).max);
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::641 => assert(IERC20(token).transferFrom(from, address(this), _value));
../2022-10-3xcalibur/contracts/periphery/VotingEscrow.sol::796 => assert(IERC20(token).transfer(msg.sender, value));

Tools used

c4udit

Unspecific Compiler Version Pragma

Impact

Issue Information: L003

Findings:

../2022-10-3xcalibur/contracts/Core/SwapFactory.sol::2 => pragma solidity ^0.8.11;
../2022-10-3xcalibur/contracts/Core/SwapPair.sol::2 => pragma solidity ^0.8.11;

Tools used

c4udit

Do not use Deprecated Library Functions

Impact

Issue Information: L005

Findings:

../2022-10-3xcalibur/contracts/periphery/Gauge.sol::122 => _safeApprove(_token0, bribe, _fees0);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::129 => _safeApprove(_token1, bribe, _fees1);
../2022-10-3xcalibur/contracts/periphery/Gauge.sol::580 => function _safeApprove(address token, address spender, uint256 value) internal {

Tools used

c4udit

Picodes/c4udit_3xcalibur.md

c4udit Report

Files analyzed

Issues found

Don't Initialize Variables with Default Value

Impact

Findings:

Tools used

Cache Array Length Outside of Loop

Impact

Findings:

Tools used

Use != 0 instead of > 0 for Unsigned Integer Comparison

Impact

Findings:

Tools used

Use immutable for OpenZeppelin AccessControl's Roles Declarations

Impact

Findings:

Tools used

Long Revert Strings

Impact

Findings:

Tools used

Use Shift Right/Left instead of Division/Multiplication if possible

Impact

Findings:

Tools used

Unsafe ERC20 Operation(s)

Impact

Findings:

Tools used

Unspecific Compiler Version Pragma

Impact

Findings:

Tools used

Do not use Deprecated Library Functions

Impact

Findings:

Tools used