CryptaContributionProofToken Security Review

# CryptaContributionProofToken Security Review A security review of the [CryptaContributionProofToken](https://github.com/0xTC0/crypta-smart-contracts/blob/main/CryptaContributionProofToken.sol) smart contract protocol was done by [Parth](https://twitter.com/__parthpatel__). \ This audit report includes all the vulnerabilities, issues and code improvements found during the security review. ## Disclaimer "Audits are a time, resource and expertise bound effort where trained experts evaluate smart contracts using a combination of automated and manual techniques to find as many vulnerabilities as possible. Audits can show the presence of vulnerabilities **but not their absence**." \- Secureum ### Impact - **High** - leads to a significant material loss of assets in the protocol or significantly harms a group of users. - **Medium** - only a small amount of funds can be lost (such as leakage of value) or a core functionality of the protocol is affected. - **Low** - can lead to any kind of unexpected behaviour with some of the protocol's functionalities that's not so critical. ### Likelihood - **High** - attack path is possible with reasonable assumptions that mimic on-chain conditions and the cost of the attack is relatively low to the amount of funds that can be stolen or lost. - **Medium** - only conditionally incentivized attack vector, but still relatively likely. - **Low** - has too many or too unlikely assumptions or requires a huge stake by the attacker with little or no incentive. ### Actions required by severity level - **Critical** - client **must** fix the issue. - **High** - client **must** fix the issue. - **Medium** - client **should** fix the issue. - **Low** - client **could** fix the issue. ## Executive summary ### Overview | | | | :------------ | :------------------------------------------------------------------------------------------- | | Project Name | Crypta Digital | | Repository | https://github.com/0xTC0/crypta-smart-contracts | | Commit hash | [032869f47573b8a4c98f97af577933599d3dfc0c](https://github.com/0xTC0/crypta-smart-contracts/tree/032869f47573b8a4c98f97af577933599d3dfc0c) | | Documentation | [docs](https://github.com/0xTC0/crypta-smart-contracts/blob/1a5a6c64946d350cbff8e587a7a4eac89e9e6770/README.md) | | Methods | Manual review | | | ### Issues found | Severity | Count | :------------ | -------------------------------------------------------- | | High risk | 0| 7 | | Medium risk | 0 | 2| | Low risk | 0 | 2| | Informational | 2 | 4| # Findings ## Informational ### [I-1] Inconsistent visibility of state variables across contract #### **Context** - https://github.com/0xTC0/crypta-smart-contracts/blob/032869f47573b8a4c98f97af577933599d3dfc0c/CryptaContributionProofToken.sol#L72-L76 #### **Description** The visibility of state variables in contract is not consistent. #### **Recommendations** Use variables with consistent visibility across project. ### [I-2] Consider using `uint256` as a nonce instead of `string` nonce #### **Context** - https://github.com/0xTC0/crypta-smart-contracts/blob/032869f47573b8a4c98f97af577933599d3dfc0c/CryptaContributionProofToken.sol#L76 #### **Description** `uint256` as a nonce is guaranteed to be stored in one slot while using `string` doesn't guarantee that. Consider checking [this](https://docs.soliditylang.org/en/v0.8.19/internals/layout_in_storage.html#bytes-and-string) to understand how strings are stored. #### **Recommendations** Use `uint256` instead of `string` for a nonce