☹️Informational Vulnerability 2: "Magic" Numbers

Book an audit with Zokyo

Introduction: "Magic" numbers – raw numerical values without clear meaning – can pose a challenge in code readability and future maintenance. Even though they might not directly affect functionality, using constants in place of these values can vastly improve code clarity. In this tutorial, we'll explore the importance of avoiding magic numbers and the benefits of using named constants in Solidity.

Concept: A magic number is a direct numerical value used in the code without an accompanying explanation or name. These numbers can be confusing to other developers (or even the original developer after some time has passed) as their purpose or derivation is not immediately clear.

For example, consider coming across the value 1e36 in the code. Without context, it's not clear why this particular value is used, making the code harder to maintain or audit.

Benefits of Using Constants:

1. Readability: Naming constants provides context, making the code more self-explanatory.

2. Maintainability: If the value needs to change in the future, you only have to update it in one place.

3. No Gas Overheads: In Solidity, using constant values doesn't introduce any gas costs.

Example:

Given the code snippet:

solidityCopy codefunction calculateReward(uint256 baseReward) external view returns (uint256) {
    return baseReward * 1e36; // Why 1e36? It's not immediately clear.
}

Using a named constant would look like:

solidityCopy code// At the top of the contract or library:
uint256 private constant REWARD_MULTIPLIER = 1e36; // Provides a clear name and can be documented with its purpose.

function calculateReward(uint256 baseReward) external view returns (uint256) {
    return baseReward * REWARD_MULTIPLIER; // More readable and self-explanatory.
}

Recommendation:

1. Scan your contracts for magic numbers.

2. Replace these numbers with appropriately named constants.

3. Add comments to these constants if further explanation is needed.

4. Test to ensure that the logic remains consistent.

Conclusion:

While magic numbers might not introduce vulnerabilities, they can make your codebase harder to understand and maintain. Using named constants enhances clarity and ensures that your contracts remain accessible and easy to update in the future. Prioritizing readability will always pay dividends in the long run, especially in collaborative projects or when seeking external audits.