Surf - Smart Contracts Made Simple.

Home

Surfboard

Surfcheck

Docs

About Us

Audit Summary

1

Critical

1

Major

3

Moderate

4

Minor

Issues

#1 Missing Function Access Control

Severity: CriticalIssue Type: Security

Range

Lines 42 - 52

Description

The 'giveRightToVote' function lacks access control, allowing any user to call it. This can lead to unauthorized manipulation of voter rights.

Recommended Fix

Add a modifier to restrict this function's access to only the chairperson.

#2 Potential Delegation Loop

Severity: MajorIssue Type: Security

Range

Lines 54 - 74

Description

In the 'delegate' function, the loop for checking delegation cycles does not have a failsafe against potentially unbounded looping.

Recommended Fix

Implement a limit to the delegation chain length to prevent potential denial of service attacks.

#3 Overwriting Voter Weight

Severity: ModerateIssue Type: Security

Range

Lines 50 - 50

Description

Setting voter weight directly to 1 in 'giveRightToVote' can inadvertently overwrite an existing voter's weight, which may have been increased due to vote delegation.

Recommended Fix

Check if the voter already has a weight assigned and avoid overwriting it.

#4 Unchecked Proposal Index

Severity: ModerateIssue Type: Security

Range

Lines 76 - 86

Description

The 'vote' function does not validate the provided proposal index, which could lead to out-of-bounds access.

Recommended Fix

Add a check to ensure the proposal index is within the range of the proposals array.

#5 Public Mapping Exposure

Severity: ModerateIssue Type: Security

Range

Lines 25 - 25

Description

The 'voters' mapping is publicly exposed, potentially revealing sensitive voting information.

Recommended Fix

Change the visibility of 'voters' mapping to private and provide a function to access necessary information securely.

#6 Inefficient Storage for 'Proposal' struct

Severity: MinorIssue Type: Gas Optimisation

Range

Lines 18 - 21

Description

The 'Proposal' struct uses 'bytes32' for the name, which might be inefficient if proposal names are typically shorter.

Recommended Fix

Consider using a dynamic string type if proposal names vary significantly in length.

#7 Gas Inefficient Constructor

Severity: MinorIssue Type: Gas Optimisation

Range

Lines 33 - 41

Description

The constructor iterates over the input array, which can be gas-inefficient for a large number of proposals.

Recommended Fix

Optimize the loop in the constructor or set a limit to the number of proposals.

#8 Outdated Compiler Version

Severity: MinorIssue Type: Coding Style

Range

Lines 3 - 3

Description

The pragma directive allows outdated compiler versions. Using older versions can expose known vulnerabilities.

Recommended Fix

Specify a more recent compiler version, ideally the latest stable one.

#9 Inefficient Storage and Access

Severity: MinorIssue Type: Gas Optimisation

Range

Lines 100 - 103

Description

The 'winnerName' function returns a 'bytes32', which can be inefficient for names of varying lengths and inconvenient for external calls.

Recommended Fix

Consider returning a string instead of 'bytes32' for more efficient storage and easier access.

Optional