Omniscia Box Fun Audit
BoxedL2 Code Style Findings
BoxedL2 Code Style Findings
BL2-01C: Ineffectual Usage of Safe Arithmetics
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | BoxedL2.sol: • I-1: L88 • I-2: L131 |
Description:
The linked mathematical operations are guaranteed to be performed safely by surrounding conditionals evaluated in either require checks or if-else constructs.
Example:
87uint256 feePerBox = tokensPerBox / MAX_BPS * feeBPS;88uint256 tokensPerBoxAfterFee = tokensPerBox - feePerBox;Recommendation:
Given that safe arithmetics are toggled on by default in pragma versions of 0.8.X, we advise the linked statements to be wrapped in unchecked code blocks thereby optimizing their execution cost.
Alleviation:
All referenced arithmetic operations have been wrapped in an unchecked code block, including BPS calculations.
While this is normally secure, we would still advise the Box Fun team to ensure that the tokensPerBox and feeBPS configurations they expect to set can never overflow when multiplied.
BL2-02C: Potentially Undesired Randomness Configuration
| Type | Severity | Location |
|---|---|---|
| Code Style | | BoxedL2.sol:L226-L229 |
Description:
The referenced statements claim that a 1% chance occurs for a token to be gold, however, this would be true only if the type(uint256).max value was wholly divisible by 100.
Example:
226/// @dev 1 in 100 chance to be goldRecommendation:
While the randomness is practically 1 in 100, the actual percentage is slightly lower than that and that could be depicted in the comment via an approximation (i.e. ~1% rather than 1 in 100).
Alleviation:
The code was updated to reflect an approximate 1% chance rather than a precise one, addressing this exhibit.
BL2-03C: Repetitive Value Literals
| Type | Severity | Location |
|---|---|---|
| Code Style | | BoxedL2.sol: • I-1: L189 • I-2: L190 |
Description:
The linked value literals are repeated across the codebase multiple times.
Example:
189uint32 baseCallbackGas = 100000;Recommendation:
We advise each to be set to its dedicated constant variable instead, optimizing the legibility of the codebase.
In case some of the constant declarations have already been introduced, we advise them to be properly re-used across the code.
Alleviation:
The referenced value literals were properly relocated to contract-level constant declarations BASE_CALLBACK_GAS and GAS_PER_BOX respectively, addressing this exhibit.
BL2-04C: Significantly Inefficient Usage of Token ID Counter
| Type | Severity | Location |
|---|---|---|
| Gas Optimization | | BoxedL2.sol:L96, L98, L101 |
Description:
The referenced operations will repeatedly write to and read from a storage variable for each for loop iteration.
Example:
94for (uint256 i = 0; i < _quantity; i++) {95 /// @dev increment tokenId counter96 nextTokenId++;97
98 _safeMint(msg.sender, nextTokenId);99
100 /// @dev add ID to array for later VRF verification101 boxIds[i] = nextTokenId;102}Recommendation:
We advise the code to cache the nextTokenId before the for loop begins, mutate it as needed, and store it once right after the for loop concludes thereby significantly optimizing the code's gas cost.
Alleviation:
The nextTokenId variable usage within the function has been significantly optimized as advised, ensuring that mutations are performed locally and its final state is solely stored to the _nextTokenId contract-level variable.