SKATE - HackMD

# SKATE ## Info - Auditor: mohamed moualim - Commit hash: ... git repository (commit hash) ## Disclaimers ## Issues ## Floating Pragma ## [Low] **Description** The contract makes use of the floating-point pragma 0.8.6. Contracts should be deployed using the same compiler version. Locking the pragma helps ensure that contracts will not unintentionally be deployed using another pragma, which in some cases may be an obsolete version, that may introduce issues to the contract system. **files** * `contracts/GNARDescriptor.sol` (L2) * `contracts/GNARSeeder.sol` (L3) * `contracts/SkateContract.sol` (L2) * `contracts/SkateContractFlat.sol` (L2) * `contracts/SkateSettleContract.sol` (L2) * `contracts/interfaces/IGNARDescriptor.sol` (L2) * `contracts/interfaces/IGNARSeeder.sol` (L2) * `contracts/interfaces/ISkateContract.sol` (L2) * `contracts/libs/MultiPartRLEToSVG.sol` (L4) * `contracts/libs/NFTDescriptor.sol` (L3) **Recommendation** Consider locking the pragma version. It is advised that floating pragma should not be used in production. Both truffle-config.js and hardhat.config.js support locking the pragma version. ## Owner Can Renounce Ownership ## [Medium] **Description** Typically, the account that deploys the contract is also its owner. Consequently, the owner is able to engage in certain privileged activities in his own name. In smart contracts, the renounceOwnership function is used to renounce ownership, which means that if the contract's ownership has never been transferred, it will never have an Owner, rendering some owner-exclusive functionality unavailable. **file** * `contracts/SkateContract.sol` (L13) **Recommendation** We recommend that you prevent the owner from calling renounceOwnership without first transferring ownership to a different address. Additionally, if you decide to use a multi-signature wallet, then the execution of the renounceOwnership will require for at least two or more users to be confirmed. Alternatively, you can disable Renounce Ownership functionality by overriding it. ## External instead of Public ## [Best-Practice] **Description** In a nutshell, public and external differs in terms of gas usage. The former use more than the latter when used with large arrays of data. This is due to the fact that Solidity copies arguments to memory on a public function while external read from calldata which is cheaper than memory allocation. **file** * `contracts/SkateContract.sol` (L86) **Recommendation** We recommand to use the modifier External instead of public for the fuctions that aren't called in the contract. ## Miss address verification ## [Low] **Description** Certain functions lack a safety check in the address, the address-type arguments should include a zero-address test, otherwise, the contract's functionality may become inaccessible. **file** * `contracts/SkateContract.sol` (L79:82) **Recommandation** We recommend that you make sure the addresses provided in the arguments are different from the address(0). ## Precision Loss Can Lead To Bypass Fees ## [High] **Description** In the Creatbid functions, the fee is calculated using this formula : (_auction.amount * minBidIncrementPercentage) / 100 , the issue here is that if (_auction.amount * minBidIncrementPercentage) is less than 1e18 the fee will be equal to 0 due to loss precision and the msg.value will be greater than the _auction.amount + fee . **file** * `contracts/SkateContract.sol` (L144) **Recommendation** To solve this issue a verification of _auction.amount * minBidIncrementPercentage greater that 100 should be implemented. ## Miss value verification ## [Medium] **Description** Certain functions lack a value safety check, the values of the arguments should be verified to allow only the ones that comply with the contract’s logic. in the funtion setMinBidIncrementPercentage(), the contract must ensure that _minBidIncrementPercentage is less than 100%. **file** * `contracts/SkateContract.sol` (L256:259) **Recommendation** We recommend that you verify the values provided in the arguments. The issue can be addressed by utilizing a require statement. ## Centralization Risk ## [High] **Description** The owner can use the function burn() to burn any gnarId without the permission of the community and the holder of this Ntf. **file** * `contracts/SkateContract.sol` (L263:265) **Recommendation** The burn funtion should be used after a vote, so this function should be in another contract and apply it after voting. ## Import failure ## [Low] **Description** there is an error during the importation of the contracts, some path are false. **file** * `contracts/GNARDescriptor.sol` (L7,L8) * `contracts/GNARSeeder.sol` (L5,L6) **Recommendation** the correct path for the first file are : * `./interfaces/IGNARDescriptor.sol` (L7) * `./interfaces/IGNARSeeder.sol` (L8) the correct path for the second file are : * `./interfaces/IGNARSeeder.sol` (L5) * `./interfaces/IGNARDescriptor.sol` (L6) ## Miss TokenId verification ## [Medium] **Description** in the funtion tokenURI(), the contract should verify if the tokenId was created in this contract, if a user creat a similaire contract with the same ERC721 standars, he could add his token to this contract. **file** * `contracts/SkateContract.sol` (L127:131) **Recommendation** To solve this issue we can add a require statement to check if the tokenId was created in this contract (example : using a mapping) ## Duplicated contract ## [Informationnal] **Description** there two contract with the same content but with different name. ## Race condition ## [Medium] **Description** in the functions setReservePrice and setMinBidIncrementPercentage the owner can set this two variables _reservePrice and _minBidIncrementPercentage without any verification or agreement of the community wich can result a race condition **file** * `contracts/SkateContract.sol` (L248,L258) **Recommendation** We recommend adding this two variable in the arguments of the setters function and add require statements in order to verify that the values that are provided in the arguments are the same as the ones that are stored in the smart contract. ### not finished !