Platform: Code4rena
Start Date: 08/03/2023
Pot Size: $60,500 USDC
Total HM: 2
Participants: 123
Period: 7 days
Judge: hansfriese
Id: 220
League: ETH
Rank: 59/123
Findings: 2
Award: $48.97
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0x1f8b, 0x6980, 0xAgro, 0xSolus, 0xhacksmithh, 0xkazim, ABA, BPZ, BowTiedOriole, ChainReview, DadeKuma, DeFiHackLabs, Deathstore, DevABDee, Diana, Dravee, Dug, Englave, Go-Langer, Haipls, IceBear, Inspex, Jeiwan, Kek, Kresh, Madalad, MatricksDeCoder, MyFDsYours, RaymondFam, Rolezn, SAAJ, Sathish9098, Taloner, Udsen, Viktor_Cortess, atharvasama, ayden, brgltd, btk, carlitox477, catellatech, chaduke, codeislight, deadrxsezzz, descharre, erictee, fatherOfBlocks, favelanky, glcanvas, handsomegiraffe, jasonxiale, jekapi, joestakey, lemonr, luxartvinsec, martin, matrix_0wl, minhquanym, mrpathfindr, nadin, oyc_109, parsely, peanuts, pfedprog, rbserver, rokso, saian, santipu_, scokaf, slvDev, tsvetanovv, ubl4nk, ulqiorra, yamapyblack, zaskoh
29.6697 USDC - $29.67
---- Bytes.sol ----
Constructor not checking for 0 addresses when deployed in Bytes.sol L80.
A mistake on the address is going to affect the whole implementation of the contract
and can affect the tokens being minted and burned to 0 address.
UpgradeBytes(_amounts) avoids 0 amount check in Bytes.sol L95,
if a user by accident calls the function with 0 as _amount it will actually execute costing gas to the user.
The recommendation is to make sure that require(_amount != 0).
The following assertion in the tests doesn't revert:
it("should revert on amount 0", async function () { await expect(NTBytes2_0.connect(alice.signer).upgradeBytes(0)).to.be.reverted })
---- NeoTokyoStaker.sol ----
In L1205 consider omitting
the check of the range of enum _assetType as solidity already checks for it and emits a Panic error check.
In this case the revert InvalidAssetType(uint256(_assetType)) is never hit.
In any case, the range of enum AssetType is 0..3, so the proper range check will be:
if (uint8(_assetType) > 3) { revert InvalidAssetType(uint256(_assetType)); }
There's a similar occurrence in L1688
#0 - c4-judge
2023-03-17T02:59:54Z
hansfriese marked the issue as grade-c
#1 - c4-judge
2023-04-04T09:25:55Z
hansfriese marked the issue as grade-b
#2 - hansfriese
2023-04-04T09:26:25Z
2L
🌟 Selected for report: JCN
Also found by: 0x1f8b, 0xSmartContract, 0xSolus, 0xhacksmithh, 0xnev, Angry_Mustache_Man, Aymen0909, Diana, Flora, Inspex, Madalad, MatricksDeCoder, MiniGlome, R-Nemes, RaymondFam, ReyAdmirado, Rolezn, SAAJ, Sathish9098, Shubham, Udsen, Viktor_Cortess, arialblack14, atharvasama, ayden, c3phas, carlitox477, descharre, dharma09, durianSausage, fatherOfBlocks, ginlee, glcanvas, hunter_w3b, leopoldjoy, matrix_0wl, mrpathfindr, nadin, oyc_109, pipoca, schrodinger, slvDev, ulqiorra, volodya
19.3029 USDC - $19.30
---- NeoTokyoStaker.sol ----
Redundant Code because of repetition in the following lines:
L638-L641
L663-L667
Consider moving that logic into a seperate function to save gas.
function getVaultMultiplier(uint256 _vaultId) internal returns(string memory){ // Retrieve the credit rate multiplier of the Vault. IGenericGetter vault = IGenericGetter(VAULT); return (_vaultId != 0) ? vault.getCreditMultiplier(_vaultId) : ""; }
Replace L644
return identityCreditYield[rewardRate][getVaultMultiplier(_vaultId)];
Replace L670
return vaultCreditMultiplier[getVaultMultiplier(_vaultId)];
---- NeoTokyoStaker.sol ----
Consider changing _stringEquals(_a, _b) in L824 with 2107 gas cost for:
/** * @dev Returns true if the two strings are equal. */ function equal(string memory a, string memory b) internal pure returns (bool) { return keccak256(bytes(a)) == keccak256(bytes(b)); }
This is implemented by openzeppelin, it's less code, easier to read and more gas efficient with 1931 gas of execution cost vs 2107.
#0 - c4-judge
2023-03-17T03:58:29Z
hansfriese marked the issue as grade-c
#1 - c4-judge
2023-03-24T14:11:10Z
hansfriese marked the issue as grade-b