Back to 0xsam's contests

Axelar Network v2 contest - 0xsam's results

Decentralized interoperability network.

General Information

Platform: Code4rena

Start Date: 29/07/2022

Pot Size: $50,000 USDC

Total HM: 6

Participants: 75

Period: 5 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 149

League: ETH

Axelar Network

Findings Distribution

Researcher Performance

Rank: 68/75

Findings: 1

Award: $31.88

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAxelar Network

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0xNazgul, 0xsam, 8olidity, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, Fitraldys, JC, Lambda, MiloTruck, Noah3o6, NoamYakov, RedOneN, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Tomio, Waze, __141345__, a12jmx, ajtra, ak1, apostle0x01, asutorufos, benbaessler, bharg4v, bulej93, c3phas, defsec, djxploit, durianSausage, erictee, fatherOfBlocks, gerdusx, gogo, kyteg, lucacez, medikko, mics, owenthurm, oyc_109, rbserver, robee, sashik_eth, simon135, tofunmi

Awards

31.8812 USDC - $31.88

Labels

bug
G (Gas Optimization)
sponsor acknowledged

External Links

Link to GitHub issue

Gas Optimization

++i costs less gas than i++ and i+=1 (--i/i--/i-=1 too)

    File: contracts/AxelarGateway.sol

    for (uint256 i = 0; i < symbols.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/AxelarGateway.sol#L207

    File: contracts/gas-service/AxelarGasService.sol

    for (uint256 i; i < tokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/gas-service/AxelarGasService.sol#L123

    File: contracts/deposit-service/AxelarDepositService.sol

    for (uint256 i; i < refundTokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/AxelarDepositService.sol#L114

    File: contracts/deposit-service/AxelarDepositService.sol

    for (uint256 i; i < refundTokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/AxelarDepositService.sol#L168

    File: contracts/deposit-service/AxelarDepositService.sol

    for (uint256 i; i < refundTokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/AxelarDepositService.sol#L204

Initializing a variable to its default value costs unnecessary gas.

    File: contracts/AxelarGateway.sol

    for (uint256 i = 0; i < symbols.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/AxelarGateway.sol#L207

    File: contracts/auth/AxelarAuthWeighted.sol

    uint256 totalWeight = 0;

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol#L68

    File: contracts/auth/AxelarAuthWeighted.sol

    for (uint256 i = 0; i < weightsLength; ++i) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol#L69

    File: contracts/auth/AxelarAuthWeighted.sol

    uint256 operatorIndex = 0;

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol#L94

    File: contracts/auth/AxelarAuthWeighted.sol

    uint256 weight = 0;

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol#L95

    File: contracts/auth/AxelarAuthWeighted.sol

    for (uint256 i = 0; i < signatures.length; ++i) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol#L98

Variable increment(e.g.++i/i++) for looping should be unchecked{++i} when they are not possible to overflow, to remove overflow checking to save gas.

    File: contracts/AxelarGateway.sol

    for (uint256 i; i < adminCount; ++i) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/AxelarGateway.sol#L195

    File: contracts/AxelarGateway.sol

    for (uint256 i = 0; i < symbols.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/AxelarGateway.sol#L207

    File: contracts/AxelarGateway.sol

    for (uint256 i; i < commandsLength; ++i) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/AxelarGateway.sol#L292

    File: contracts/gas-service/AxelarGasService.sol

    for (uint256 i; i < tokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/gas-service/AxelarGasService.sol#L123

    File: contracts/deposit-service/AxelarDepositService.sol

    for (uint256 i; i < refundTokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/AxelarDepositService.sol#L114

    File: contracts/deposit-service/AxelarDepositService.sol

    for (uint256 i; i < refundTokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/AxelarDepositService.sol#L168

    File: contracts/deposit-service/AxelarDepositService.sol

    for (uint256 i; i < refundTokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/AxelarDepositService.sol#L204

    File: contracts/auth/AxelarAuthWeighted.sol

    for (uint256 i = 0; i < signatures.length; ++i) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol#L98

    File: contracts/auth/AxelarAuthWeighted.sol

        for (; operatorIndex < operatorsLength && signer != operators[operatorIndex]; ++operatorIndex) {}

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol#L101

    File: contracts/auth/AxelarAuthWeighted.sol

    for (uint256 i; i < accounts.length - 1; ++i) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol#L116

Array length should not be looked up in every loop. Instead, use a variable to store the length before the loop starts.

    File: contracts/AxelarGateway.sol

    for (uint256 i = 0; i < symbols.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/AxelarGateway.sol#L207

    File: contracts/AxelarGateway.sol

    for (uint256 i; i < commandsLength; ++i) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/AxelarGateway.sol#L292

    File: contracts/deposit-service/AxelarDepositService.sol

    for (uint256 i; i < refundTokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/AxelarDepositService.sol#L114

    File: contracts/deposit-service/AxelarDepositService.sol

    for (uint256 i; i < refundTokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/AxelarDepositService.sol#L168

    File: contracts/deposit-service/AxelarDepositService.sol

    for (uint256 i; i < refundTokens.length; i++) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/AxelarDepositService.sol#L204

    File: contracts/auth/AxelarAuthWeighted.sol

    for (uint256 i = 0; i < signatures.length; ++i) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol#L98

    File: contracts/auth/AxelarAuthWeighted.sol

    for (uint256 i; i < accounts.length - 1; ++i) {

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/auth/AxelarAuthWeighted.sol#L116

Declare errors for revert, instead of using string, to reduce gas.

    File: xc20/contracts/XC20Wrapper.sol

    if (axelarToken == address(0)) revert('NotAxelarToken()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L55

    File: xc20/contracts/XC20Wrapper.sol

    if (xc20Token.codehash != xc20Codehash) revert('NotXc20Token()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L56

    File: xc20/contracts/XC20Wrapper.sol

    if (wrapped[axelarToken] != address(0)) revert('AlreadyWrappingAxelarToken()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L57

    File: xc20/contracts/XC20Wrapper.sol

    if (unwrapped[xc20Token] != address(0)) revert('AlreadyWrappingXC20Token()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L58

    File: xc20/contracts/XC20Wrapper.sol

    if (!LocalAsset(xc20Token).set_team(address(this), address(this), address(this))) revert('NotOwner()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L61

    File: xc20/contracts/XC20Wrapper.sol

    if (!LocalAsset(xc20Token).set_metadata(newName, newSymbol, IERC20(axelarToken).decimals())) revert('CannotSetMetadata()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L62

    File: xc20/contracts/XC20Wrapper.sol

    if (axelarToken == address(0)) revert('NotAxelarToken()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L68

    File: xc20/contracts/XC20Wrapper.sol

    if (xc20Token == address(0)) revert('NotWrappingToken()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L70

    File: xc20/contracts/XC20Wrapper.sol

    if (wrappedToken == address(0)) revert('NotAxelarToken()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L78

    File: xc20/contracts/XC20Wrapper.sol

    if (!LocalAsset(wrappedToken).mint(msg.sender, amount)) revert('CannotMint()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L79

    File: xc20/contracts/XC20Wrapper.sol

    if (axelarToken == address(0)) revert('NotXc20Token()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L84

    File: xc20/contracts/XC20Wrapper.sol

    if (IERC20(wrappedToken).balanceOf(msg.sender) < amount) revert('InsufficientBalance()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L85

    File: xc20/contracts/XC20Wrapper.sol

    if (!LocalAsset(wrappedToken).burn(msg.sender, amount)) revert('CannotBurn()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L86

    File: xc20/contracts/XC20Wrapper.sol

    if (!transferred || tokenAddress.code.length == 0) revert('TransferFailed()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L98

    File: xc20/contracts/XC20Wrapper.sol

    if (!transferred || tokenAddress.code.length == 0) revert('TransferFailed()');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L111

Hardcode hash values instead of calculating the values with keccak256() in runtime, to reduce gas.

    File: contracts/gas-service/AxelarGasService.sol

    return keccak256('axelar-gas-service');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/gas-service/AxelarGasService.sol#L181

    File: contracts/deposit-service/AxelarDepositService.sol

    return keccak256('axelar-deposit-service');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/contracts/deposit-service/AxelarDepositService.sol#L242

    File: xc20/contracts/XC20Wrapper.sol
    
    return keccak256('xc20-wrapper');

https://github.com/code-423n4/2022-07-axelar/blob/9c4c44b94cddbd48b9baae30051a4e13cbe39539/xc20/contracts/XC20Wrapper.sol#L41

#0 - re1ro

2022-08-05T03:30:17Z

1, 2, 3, 4 : Dup #2

  1. Our targeted platform/compiler doesn't support custom errors.

  2. We prefer this for simplicity of verification. This function is only called on upgrades

#1 - GalloDaSballo

2022-08-20T18:53:52Z

Less than 300 gas saved

For 6. you could use an hardcoded constant which would have the same usage but provide gas savings (the report that constants cost gas is false and has been debunked for ages)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter