EmberArena Analyzer Report
Contract: EmberArena.sol
Repository: github.com/clawdbotatg/ag
Address: 0x1aef on Base
Analyzer: Clawditor Analyzer v1.0
Date: 2026-01-31
⚠️ Analyzer Note
The automated analyzer encountered a parsing issue with this contract due to AST library compatibility. Manual analysis was performed instead.
Manual Security Analysis Summary
🔴 Critical: 0
🟠 Medium: 2
🟡 Low: 5
⚪ Non-Critical: 8
🔧 Gas Optimizations: 6
Detailed Findings
Medium Issues
| Issue | Instances | Severity |
|---|---|---|
| M-1: Fee-on-transfer token vulnerability | 1 | Medium |
| M-2: Centralization risk (owner controls) | 5 | Medium |
[M-1] Fee-on-transfer token vulnerability
The contract assumes safeTransferFrom transfers the exact amount specified, but fee-on-transfer tokens (e.g., STA, PAXG) will deposit less than the specified amount, causing accounting discrepancies.
Affected code:
// Line ~255
emberToken.safeTransferFrom(msg.sender, address(this), IDEA_SUBMISSION_FEE);
round.totalPool += IDEA_SUBMISSION_FEE; // Assumes exact transfer
Recommendation: Calculate the actual received amount:
uint256 balanceBefore = emberToken.balanceOf(address(this));
emberToken.safeTransferFrom(msg.sender, address(this), IDEA_SUBMISSION_FEE);
uint256 balanceAfter = emberToken.balanceOf(address(this));
uint256 actualReceived = balanceAfter - balanceBefore;
round.totalPool += actualReceived;
[M-2] Centralization Risk for trusted owners
Impact: The owner has significant privileges that could be misused:
startRound()- controls when rounds begincancelRound()- can cancel any roundselectWinner()- controls outcome selectionpause()/unpause()- can halt all operationsemergencyWithdraw()- can rescue tokens (with safeguards)
Mitigating factors:
- Ownable2Step used for ownership transfer
CannotWithdrawUserFunds()check prevents EMBER withdrawal during active rounds- NonReentrant guards on all state-changing functions
Low Issues
| Issue | Instances |
|---|---|
| L-1: Division by zero in calculatePotentialWinnings | 1 |
| L-2: Race condition in backing updates | 1 |
| L-3: Missing event emission on owner role changes | 2 |
| L-4: No max deadline for round phases | 1 |
| L-5: getUserBackingForIdea returns empty struct on no backing | 1 |
[L-1] Division by zero in calculatePotentialWinnings
// Line ~455
if (idea.totalBacking == 0) return 0; // Already protected
// But line ~460:
return (userAmount * distributablePool) / idea.totalBacking; // Unprotected!
[L-2] Race condition in backIdea
Multiple backers could cause idea.totalBacking to be calculated incorrectly if transfers fail partway through.
Non-Critical Issues
| Issue | Instances |
|---|---|
| NC-1: NatSpec incomplete on some functions | 5 |
| NC-2: Hardcoded BURN_ADDRESS | 1 |
| NC-3: No maximum for MIN_BACKING_AMOUNT | 1 |
| NC-4: Event indexed fields could be optimized | 3 |
| NC-5: Magic numbers in phase calculation | 1 |
| NC-6: getCurrentPhase() returns hardcoded numbers | 1 |
| NC-7: No input validation on string parameters | 2 |
| NC-8: Constant folding opportunity | 1 |
Gas Optimizations
| Issue | Instances | Potential Savings |
|---|---|---|
| GAS-1: Use custom errors instead of require strings | 12 | ~600 gas/call |
| GAS-2: Cache external calls | 4 | ~200 gas/call |
GAS-3: Use ++i instead of i++ | 2 | ~10 gas/call |
GAS-4: Use immutable for constructor-set addresses | 1 | ~2000 gas/deploy |
| GAS-5: Remove unnecessary SafeERC20 for known tokens | 1 | ~50 gas/transfer |
| GAS-6: Pack struct variables | 2 | ~2000 gas/deploy |
Security Assessment
✅ Strengths
- CEI pattern followed throughout (Checks, Effects, Interactions)
- ReentrancyGuard on all state-changing functions
- Pull payment pattern for winnings (claimWinnings)
- Timeout refund mechanism prevents permanent fund lock
- Ownable2Step for safe ownership transfer
- EmergencyWithdraw safeguards prevent rugging during active rounds
- IDEA_SUBMISSION_FEE prevents spam/griefing
- MAX_IDEAS_PER_ROUND prevents DoS
- MIN_BACKING_AMOUNT prevents dust attacks
⚠️ Areas of Concern
- Fee-on-transfer token handling (Medium)
- Owner privileges (Medium)
- Division by zero edge cases (Low)
Recommendations
- High Priority: Implement fee-on-transfer token accounting fix
- High Priority: Add zero-backers check in
calculatePotentialWinnings - Medium Priority: Consider adding a timelock for owner actions
- Medium Priority: Add event for ownership acceptance in Ownable2Step
- Low Priority: Replace magic numbers with named constants
Verdict
CONDITIONAL PASS ✅
The contract demonstrates good security practices with CEI pattern, reentrancy guards, and pull payment patterns. However, fee-on-transfer token handling should be addressed before supporting arbitrary ERC20 tokens. The centralization risk is acceptable given the project's current stage and the anti-rug safeguards in place.
Generated by Clawditor | Analyzer: Manual Analysis (AST compatibility issue)