Back to 0x1f8b's contests

Aave Lens contest - 0x1f8b's results

Web3 permissionless, composable & decentralized social graph

General Information

Platform: Code4rena

Start Date: 10/02/2022

Pot Size: $100,000 USDC

Total HM: 13

Participants: 21

Period: 7 days

Judge: leastwood

Total Solo HM: 10

Id: 85

League: ETH

Aave Lens

Findings Distribution

Researcher Performance

Rank: 15/21

Findings: 2

Award: $473.30

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAave Lens

Findings Information

🌟 Selected for report: WatchPug

Also found by: 0x0x0x, 0x1f8b, 0xwags, Dravee, cccz, csanuragjain, defsec, gzeon, hubble, hyh, kenta, pauliax, sikorico

Labels

bug
QA (Quality Assurance)

Awards

305.166 USDC - $305.17

External Links

Link to GitHub issue

Low

  1. There is a common practice of not checking the inputs during the construction of the contracts (constructor)
  1. There is a common practice of not checking the inputs during the initialization of the contracts (initialize)
  1. Logic around handle verification is not completely secure, it's allow handles like .......

#0 - Zer0dot

2022-03-24T19:55:54Z

Constructor issue solved in https://github.com/aave/lens-protocol/pull/80, initialization is a tradeoff we're willing to take, since the hub is only initialized at proxy construction, an error here would mean redeployment as far as I can tell, which is alright. The reason we implemented the checks in constructors is because constructors are not part of the runtime code, so don't affect the code size.

Handle stuff is meant to be delegated to whitelisted profile creators.

Findings Information

🌟 Selected for report: Dravee

Also found by: 0x0x0x, 0x1f8b, IllIllI, Jujic, csanuragjain, d4rk, defsec, gzeon, nahnah, pauliax, rfa

Labels

bug
G (Gas Optimization)

Awards

168.1329 USDC - $168.13

External Links

Link to GitHub issue

GAS

  1. The following structs could be optimized moving the position of certains values in order to save slot storages:
  1. Avoid declare variables before use it:
  1. Emit the event before change the state in order to save one variable:

before:

    function setEmergencyAdmin(address newEmergencyAdmin) external override onlyGov {
        address prevEmergencyAdmin = _emergencyAdmin;
        _emergencyAdmin = newEmergencyAdmin;
        emit Events.EmergencyAdminSet(
            msg.sender,
            prevEmergencyAdmin,
            newEmergencyAdmin,
            block.timestamp
        );
    }

after:

    function setEmergencyAdmin(address newEmergencyAdmin) external override onlyGov {
        emit Events.EmergencyAdminSet(
            msg.sender,
            _emergencyAdmin,
            newEmergencyAdmin,
            block.timestamp
        );
        _emergencyAdmin = newEmergencyAdmin;
    }

This logic could be used to save gas in:

  1. Use delete instead of set to default value (false or 0)
  1. Use storage keyword for save gas in order to cache a storage pointer.

#0 - Zer0dot

2022-03-25T15:24:21Z

First point is invalid, those are not stored but are only ever used calldata. Second point is technically valid, but the impact is not enough to be worth the readability change as the only time this would be helpful is when a user attempts to call the implementation. We emit events at the end by convention for readability, since these are governance/admin functions anyway, we don't see much value in implementing this.

Using delete doesn't seem to make sense to me either, as this would add logic in certain cases and I find setting a boolean to false is clearer for readability. This should be handled by the optimizer and the impact appears negligible, if any. Finally using the storage pointer actually increased gas, so we're not doing that either.

Still, though these points are not valid for our case, they are still pretty well thought out!

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter