Badger-Vested-Aura contest - 0xNazgul's results

Missing Equivalence Checks in Setters

Severity: Low Context: MyStrategy.sol#L79-L101

Description: Setter functions are missing checks to validate if the new value being set is the same as the current value already set in the contract. Such checks will showcase mismatches between on-chain and off-chain states.

Recommendation: This may hinder detecting discrepancies between on-chain and off-chain states leading to flawed assumptions of on-chain state and protocol behavior.

Max/Infinite Approvals are Dangerous

Severity: Low Context: MyStrategy.sol#L56-L74

Description: Giving max/infinite approvals to contracts are dangerous because if those contracts are exploited then they can remove all the funds from the approving addresses.

Recommendation: Check allowance and approve as much as required.

Assert Violation That Always-Incorrect Control Flow Implementation

Severity: Low Context: MyStrategy.sol#L57

Description: The Solidity assert() function is meant to assert invariants. Properly functioning code should never reach a failing assert statement. A reachable assertion can mean one of two things:

1). A bug exists in the contract that allows it to enter an invalid state; 2). The assert statement is used incorrectly, e.g. to validate inputs.

Recommendation: Consider whether the condition checked in the assert() is actually an invariant. If not, replace the assert() statement with a require() statement. If the exception is indeed caused by unexpected behaviour of the code, fix the underlying bug(s) that allow the assertion to be violated.

receive() Function Should Emit An Event

Severity: Low Context: MyStrategy.sol#L436-L438

Description: Consider emitting an event inside this function with msg.sender and msg.value as the parameters. This would make it easier to track incoming ether transfers.

Recommendation: Add events to the receive() functions.

Missing Zero-address Validation

Severity: Low Context: MyStrategy.sol#L79-L83

Description: Lack of zero-address validation on address parameters may lead to transaction reverts, waste gas, require resubmission of transactions and may even force contract redeployments in certain cases within the protocol.

Recommendation: Add explicit zero-address validation on input parameters of address type.

Unindexed Event Parameters

Severity Informational Context: MyStrategy.sol#L51

Description: Parameters of certain events are expected to be indexed so that they’re included in the block’s bloom filter for faster access. Failure to do so might confuse off-chain tooling looking for such indexed events.

Recommendation: Add the indexed keyword to event parameters that should include it.

TODOs Left In The Code

Severity: Informational Context: MyStrategy.sol#L284, MyStrategy.sol#L422

Description: There should never be any TODOs in the code when deploying.

Recommendation: Finish the TODOs before deploying.

Spelling Errors

Severity: Informational Context: MyStrategy.sol#L160 (sweeped => swept), MyStrategy.sol#L218 (compunded => compound)

Description: Spelling errors in comments can cause confusion to both users and developers.

Recommendation: Check all misspellings to ensure they are corrected.

Be Aware of the Elastic Supply Tokens

Severity: Informational Context: MyStrategy.sol

Description: Elastic supply tokens could dynamically adjust their price, supply, user's balance, etc. Such a mechanism makes a DeFi system complex, while many security accidnets are caused by the elastic tokens. For example, a DEX using deflationary token must double check the token transfer amount when taking swap action because of the difference of actual transfer amount and parameter.

Recommendation: In terms of confidentiality, integrity and availability, it is highly recommend that one should not use elastic supply tokens.

Missing or Incomplete NatSpec

Severity: Informational Context: MyStrategy.sol

Description: Some functions are missing @notice/@dev NatSpec comments for the function, @param for all/some of their parameters and @return for return values. Given that NatSpec is an important part of code documentation, this affects code comprehension, auditability and usability.

Recommendation: Add in full NatSpec comments for all functions to have complete code documentation for future use.

Use ++index instead of index++ to increment a loop counter

Context: MyStrategy.sol#L288-L343 (For both)

Description: Due to reduced stack operations, using ++index saves 5 gas per iteration.

Recommendation: Use ++index to increment a loop counter.

Catching The Array Length Prior To Loop

Context: MyStrategy.sol#L288-L343 (For both)

Description: One can save gas by caching the array length (in stack) and using that set variable in the loop. Replace state variable reads and writes within loops with local variable reads and writes. This is done by assigning state variable values to new local variables, reading and/or writing the local variables in a loop, then after the loop assigning any changed local variables to their equivalent state variables.

Recommendation: Simply do something like so before the for loop: uint length = variable.length. Then add length in place of variable.length in the for loop.

Function Ordering via Method ID

Context: MyStrategy.sol

Description: Contracts most called functions could simply save gas by function ordering via Method ID. Calling a function at runtime will be cheaper if the function is positioned earlier in the order (has a relatively lower Method ID) because 22 gas are added to the cost of a function for every position that came before it. The caller can save on gas if you prioritize most called functions. One could use This tool to help find alternative function names with lower Method IDs while keeping the original name intact.

Recommendation: Find a lower method ID name for the most called functions for example mostCalled() vs. mostCalled_41q() is cheaper by 44 gas.