Zokyo Informational Vulnerabilities
  • 📚Tutorials
    • đŸ›Ĩī¸Informational Vulnerability 1: Floating Pragmas
    • ☚ī¸Informational Vulnerability 2: "Magic" Numbers
    • 🎁Informational Vulnerability 3: Missing Events
    • ⏲ī¸Informational Vulnerability 4: Timelocks
    • ⏲ī¸Informational Vulnerability 5: Transition from now to block.timestamp
    • ✍ī¸Informational Vulnerability 5: Managing Nonces for Signature Validity
    • đŸ—Ŗī¸Informational Vulnerability 6: Ensuring Accurate and Helpful Comments
    • 📲Informational Vulnerability 7: Minimizing Import Clutter by Excluding Unused Files
    • ✏ī¸Informational Vulnerability 8: Grouping Related Data in Structs or Similar Data Structures
    • đŸ•ļī¸Informational Vulnerability 9: Open TODOs
    • đŸ–ŧī¸Informational Vulnerability 10: Naming Convention
    • ⛏ī¸Informational Vulnerability 11: `require` vs `assert`
    • 😴Informational Vulnerability 12: Missing NatSpec
    • 🍊Informational Vulnerability 13: Public to External functions
    • 🤝Informational Vulnerability 14: Public to External functions
    • 🕐Informational Vulnerability 15: Time units
Powered by GitBook
On this page
  1. Tutorials

Informational Vulnerability 2: "Magic" Numbers

PreviousInformational Vulnerability 1: Floating PragmasNextInformational Vulnerability 3: Missing Events

Last updated 1 year ago

Introduction: "Magic" numbers – raw numerical values without clear meaning – can pose a challenge in code readability and future maintenance. Even though they might not directly affect functionality, using constants in place of these values can vastly improve code clarity. In this tutorial, we'll explore the importance of avoiding magic numbers and the benefits of using named constants in Solidity.

Concept: A magic number is a direct numerical value used in the code without an accompanying explanation or name. These numbers can be confusing to other developers (or even the original developer after some time has passed) as their purpose or derivation is not immediately clear.

For example, consider coming across the value 1e36 in the code. Without context, it's not clear why this particular value is used, making the code harder to maintain or audit.

Benefits of Using Constants:

  1. Readability: Naming constants provides context, making the code more self-explanatory.

  2. Maintainability: If the value needs to change in the future, you only have to update it in one place.

  3. No Gas Overheads: In Solidity, using constant values doesn't introduce any gas costs.

Example:

Given the code snippet:

solidityCopy codefunction calculateReward(uint256 baseReward) external view returns (uint256) {
    return baseReward * 1e36; // Why 1e36? It's not immediately clear.
}

Using a named constant would look like:

solidityCopy code// At the top of the contract or library:
uint256 private constant REWARD_MULTIPLIER = 1e36; // Provides a clear name and can be documented with its purpose.

function calculateReward(uint256 baseReward) external view returns (uint256) {
    return baseReward * REWARD_MULTIPLIER; // More readable and self-explanatory.
}

Recommendation:

  1. Scan your contracts for magic numbers.

  2. Replace these numbers with appropriately named constants.

  3. Add comments to these constants if further explanation is needed.

  4. Test to ensure that the logic remains consistent.

Conclusion:

While magic numbers might not introduce vulnerabilities, they can make your codebase harder to understand and maintain. Using named constants enhances clarity and ensures that your contracts remain accessible and easy to update in the future. Prioritizing readability will always pay dividends in the long run, especially in collaborative projects or when seeking external audits.

📚
☚ī¸
Book an audit with Zokyo