Expert Q&A

Cyfrin Moderator Pst10

Mar 29, 2024

Expert Q&A

I am looking to conduct a smart contract audit and would like to know the best protocols to follow. Can anyone suggest a wide range of protocols that are commonly used in competitive audits? Any insights or recommendations would be greatly appreciated. Thank you.

• Foundry
• Security
• Blockchain

Cyfrin Moderator Pst10

Mar 29, 2024

Expert Q&A

I am encountering an issue while trying to deploy using make deploy in VS Code with Foundry and Anvil. Despite Anvil launching properly without any errors, when I attempt to deploy using the command make deploy, I consistently receive the error message bash: make: command not found. Has anyone faced a similar problem or can provide guidance on resolving this issue? Any assistance would be greatly valued as I have been unable to progress since yesterday. Thank you.

• Foundry

Cyfrin Moderator Pst10

Mar 29, 2024

Expert Q&A

I am working on the solveChallenge function which requires a function selector and input data to be passed. I am unsure about which function I should get the function selector for, and what the input data should be that needs to be turned into bytes. Any guidance on this would be greatly appreciated. Thank you in advance for your help. function solveChallenge(bytes4 selectorOne, bytes memory inputData, string memory yourTwitterHandle) external { (bool successOne, bytes memory responseDataOne) = i_helperContract.call(abi.encodeWithSelector(selectorOne)); if (!successOne || uint256(bytes32((responseDataOne))) != 1) { revert S1__WrongSelector(); } (bool successTwo, bytes memory responseDataTwo) = i_helperContract.call(inputData); if (!successTwo || uint256(bytes32((responseDataTwo))) != 1) { revert S1__WrongData(); } _updateAndRewardSolver(yourTwitterHandle); } I am motivated to understand how to find the solution, not just for obtaining the NFT. Thank you for your assistance.

• Transaction
• Solidity
• Smart Contract

Cyfrin Moderator Pst10

Mar 29, 2024

Expert Q&A

I have encountered the same attack vector multiple times in a base code. Should I include each instance separately in my report or consolidate them into a single entry? For instance, if I identify a Denial of Service (DOS) attack in three different functions, should I classify these findings as three distinct high-severity issues in my report, or combine them into a single report entry for efficiency and clarity? Any insights on the best approach for reporting such repeated vulnerabilities would be greatly appreciated. Thank you.

• Security

Cyfrin Moderator Pst10

Mar 29, 2024

Expert Q&A

I attempted to install LaTeX on my Linux machine using sudo apt-get install texlive-full, which consumed over 7 GB of storage, causing my 120 GB SSD system to run out of space. As a result, I had to remove it. Could someone provide a link to a smaller LaTeX package (less than 1 GB) that is sufficient for my needs? Any guidance or recommendations would be greatly appreciated. Thank you.

• Foundry
• Course

Cyfrin Moderator Pst10

Mar 29, 2024

Expert Q&A

I am currently working on Section 4 Lesson 15 and addressing the PuppyRaffle::enterRaffle function. I have identified a potential issue with the second recommended mitigation of DoS. function enterRaffle(address[] memory newPlayers) public payable { require(msg.value == entranceFee * newPlayers.length, 'PuppyRaffle: Must send enough to enter raffle'); for (uint256 i = 0; i < newPlayers.length; i++) { players.push(newPlayers[i]); addressToRaffleId[newPlayers[i]] = raffleId; } for (uint256 i = 0; i < newPlayers.length ; i++) { require(addressToRaffleId[newPlayers[i]] != raffleId, 'PuppyRaffle: Duplicate player'); } } The concern is that the duplicate check in the function will always fail due to the way addressToRaffleId[newPlayers[i]] is being set to raffleId for each new player. This results in the condition addressToRaffleId[newPlayers[i]] != raffleId never being true for new players, rendering the duplicate check ineffective. I would like to confirm if my understanding of this issue is correct. Any insights or feedback on this matter would be greatly appreciated.

• Security
• Solidity
• Smart Contract

Cyfrin Moderator Pst10

Mar 29, 2024

Expert Q&A

In the provided Solidity contract for a vault handling ERC20 tokens, the import statement for IERC20 is from '@openzeppelin/contracts/token/ERC20/ERC20.sol'. Typically, IERC20 is imported from IERC20.sol. How does this import work in this context, and what implications does it have for the contract's functionality?

• erc20
• Security
• Solidity

Cyfrin Moderator Pst10

Mar 29, 2024

Expert Q&A

I am conducting a competitive audit and encountered a compilation issue while working with a codebase consisting of over 400 files. When attempting to compile the code in my WSL Ubuntu environment, the process fails with the error message 'solc exited with signal: 9 (SIGKILL)'. My system specifications include an i5-13500HX, RTX4060, and 16GB RAM, but upon checking, I realized that my WSL Ubuntu is configured with only 8GB of memory. Could this memory limitation be the cause of the compilation failure? If so, how can I increase the memory allocation for WSL? Alternatively, if memory is not the issue, what steps can I take to successfully compile this extensive project in Foundry? myubuntu@myubuntu:~/audit/24Jan-Arcadia-Sherlock$ free total used free shared buff/cache available Mem: 7989616 786980 7056744 432 145892 6998208 Swap: 2097152 775024 1322128 I suspect that the compilation failure might be due to resource constraints or potential issues with solc consuming excessive resources. Any insights or guidance on resolving this compilation issue would be greatly appreciated.

• Foundry
• Solidity

Cyfrin Moderator Pst10

Mar 29, 2024

Expert Q&A

I am currently studying the Invariant part of a course and have a question regarding the execution order of functions when using invariant testing. Specifically, I am looking at the statefulFuzz_testInvariantBreakHandler function which includes the following code snippet: function statefulFuzz_testInvariantBreakHandler() public { vm.startPrank(owner); handlerStatefulFuzzCatches.withdrawToken(mockUSDC); handlerStatefulFuzzCatches.withdrawToken(yeildERC20); vm.stopPrank(); assert(mockUSDC.balanceOf(address(handlerStatefulFuzzCatches)) == 0); assert(yeildERC20.balanceOf(address(handlerStatefulFuzzCatches)) == 0); assert(mockUSDC.balanceOf(owner) == startingAmount); assert(yeildERC20.balanceOf(owner) == startingAmount); } My question pertains to the order in which handlerStatefulFuzzCatches.withdrawToken(mockUSDC) and handlerStatefulFuzzCatches.withdrawToken(yeildERC20) functions are executed in relation to the fuzzing process: Are these withdrawToken functions called at the beginning of the test, and then the fuzzer attempts to break the invariants by calling other functions? Or, are these specific withdrawToken calls supposed to be executed after the fuzzer has run through other functions? I am seeking clarification on whether the specified withdrawToken operations are meant to set up the state for invariant testing. Thank you for your assistance.

• Solidity
• Smart Contract

Cyfrin Moderator Pst10

Mar 29, 2024

Expert Q&A

When attempting to pull a forge build on Rio-network for the new Sherlock audit contest, I encountered the following error related to invalid solc version: Encountered invalid solc version in contracts/interfaces/IRioLRT.sol: No solc version exists that matches the version requirement: =0.8.23 Encountered invalid solc version in contracts/interfaces/IRioLRTAVSRegistry.sol: No solc version exists that matches the version requirement: =0.8.23 Encountered invalid solc version in contracts/interfaces/IRioLRTAssetRegistry.sol: No solc version exists that matches the version requirement: =0.8.23 Encountered invalid solc version in contracts/interfaces/IRioLRTCoordinator.sol: No solc version exists that matches the version requirement: =0.8.23 ... ... ... Encountered invalid solc version in test/utils/beacon-chain/MockBeaconChainOracle.sol: No solc version exists that matches the version requirement: =0.8.23 I attempted to change the solc version by installing and setting it to 0.8.23, but the error persisted. How can I resolve this issue and successfully pull the forge build on Rio-network for the contest?

• Solidity