Niftoia - HackMD

# Niftoia ## Info - Auditor: mohamed moualim - Commit hash: git repository (commit hash) ## Disclaimers ## Issues ## Payment can be bypassed ## [Critical] **Description** in the function purchaseMarketing(), we affect marketing.balance + ((marketing.dailyPrice * _duration) * 95) / 100 to marketing.balance, the value of ((marketing.dailyPrice * _duration) * 95) / 100 can equal to 0 if the marketing.dailyPrice equal to 1 and the duration equal to 1 the final value will be 0. ( 1x1x95/100 = 95/100 = 0 ) **file** * `Marketing/contract/Marketing.sol`(L328) **Recommendation** We recommend to add a require statement to verify that the marketing.dailyPrice is greater than 1 so the minimum value of the added term will be 2x1x95/100 = 190/100 = 19. ## Fees Can Be Bypassed ## [Critical] **Description** in this issue we are talking about the 5% that the owner of the contract take from the transaction, if a user use the funtion purchaseMarketing() with a duration of 1 day and upgrade the duration with the function upgradeDurationOfPurchase() to 20 for exemple, he will bypass the 5% fees of the contract's owner. **file** * `Marketing/contract/Marketing.sol` (L335:L357) **Recommendation** We recommend to add the 5% fees to avoid bypassing fees using this issue by adding to marketing balance 95% of the amount. ## Strict comparaison issue ## [High] **Description** in the function purchaseMarketing(), the require statement can block the execution and revert because of a strict comparaison between msg.value and marketing.dailyPrice * _duration + marketing.depositValue. **file** * `Marketing/contract/Marketing.sol`(L313) **Recommendation** We reccommend to put a greater than condition to avoid the revert of the require statement . * `require( msg.value >= marketing.dailyPrice * _duration + marketing.depositValue , "" );` ## Centralization Risk ## [Medium] **Description** in the function burnMarketing() the marketing creator can burn the items from the marketing without cheking if this marketing is purchased by a user. **file** * `Marketing/contract/Marketing.sol` (L359:L388) **Recommendation** To solve this issue we recommend to add a require statement to check if the purchaseId is equal to 0. ## Usage of block.timestamp ## [Medium] **Description** Block.timestamp is used in the contract. The variable block is a set of variables. The timestamp does not always reflect the current time and may be inaccurate. The value of a block can be influenced by miners. **file** * `Marketing/contract/Marketing.sol` (L150) **Recommendation** Verify that a delay of 900 seconds will not harm the logic of the contract. ## Floating Pragma ## [Low] **Description** The contracts makes use of the floating-point pragma 0.8.6 and 0.8.12 . Contracts should be deployed using the same compiler version. Locking the pragma helps ensure that contracts will not unintentionally be deployed using another pragma, which in some cases may be an obsolete version, that may introduce issues to the contract system. **file** * `Updated Swap contract & project/contract/SwapConnect.sol` (L2) * `Marketing/contract/Marketing.sol`(L2) **Recommendation** Consider locking the pragma version. It is advised that floating pragma should not be used in production. Both truffle-config.js and hardhat.config.js support locking the pragma version. ## Using external instead of public ## [best-practice] **Description** some function that are not called in the contract must be external instead of public to save gas fees.