Platform: Code4rena
Start Date: 14/06/2022
Pot Size: $50,000 USDC
Total HM: 19
Participants: 99
Period: 5 days
Judge: HardlyDifficult
Total Solo HM: 4
Id: 136
League: ETH
Rank: 58/99
Findings: 2
Award: $80.32
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: joestakey
Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkowloon, 0xmint, 8olidity, BowTiedWardens, Chom, Cityscape, Czar102, ElKu, FSchmoede, Funen, GimelSec, GreyArt, IllIllI, KIntern, Kaiziron, Kenshin, Lambda, MadWookie, MiloTruck, PPrieditis, Picodes, Ruhum, Sm4rty, StErMi, TerrierLover, TomJ, Treasure-Seeker, VAD37, WatchPug, Wayne, _Adam, a12jmx, abhinavmir, antonttc, apostle0x01, asutorufos, berndartmueller, cccz, cloudjunky, codexploder, cryptphi, csanuragjain, defsec, delfin454000, fatherOfBlocks, georgypetrov, hake, hansfriese, horsefacts, hyh, k, kenta, nxrblsrpr, oyc_109, peritoflores, rajatbeladiya, reassor, rfa, robee, sach1r0, saian, samruna, shenwilly, simon135, sorrynotsorry, sseefried, throttle, unforgiven, wagmi, zzzitron
48.9813 USDC - $48.98
///@dev Penalties if staked tokens are rageQuit early. Example: If 100 tokens are staked for twelve months but rageQuit right away, /// the user will get back 100/4 tokens. uint16 public THREE_MONTH_PENALTY = 2; uint16 public SIX_MONTH_PENALTY = 3; uint16 public TWELVE_MONTH_PENALTY = 4;
uint256 totalToUser = totalVested + ((threeMonthLock - threeMonthVested) / THREE_MONTH_PENALTY) + ((sixMonthLock - sixMonthVested) / SIX_MONTH_PENALTY) + ((twelveMonthLock - twelveMonthVested) / TWELVE_MONTH_PENALTY); uint256 penalty = totalStaked - totalToUser;
What if you want to reduce penalty to around 10%? You should set penalty to around 1.1 which is not possible as it is uint not float.
You should write penalty in BPS format
///@dev Penalties if staked tokens are rageQuit early. Example: If 100 tokens are staked for twelve months but rageQuit right away, /// the user will get back 100/4 tokens. uint16 public THREE_MONTH_PENALTY = 20000; uint16 public SIX_MONTH_PENALTY = 30000; uint16 public TWELVE_MONTH_PENALTY = 40000;
uint256 totalToUser = totalVested + ((threeMonthLock - threeMonthVested) * 10000 / THREE_MONTH_PENALTY) + ((sixMonthLock - sixMonthVested) * 10000 / SIX_MONTH_PENALTY) + ((twelveMonthLock - twelveMonthVested) * 10000 / TWELVE_MONTH_PENALTY); uint256 penalty = totalStaked - totalToUser;
#0 - HardlyDifficult
2022-07-12T05:01:01Z
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xAsm0d3us, 0xDjango, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xkowloon, BowTiedWardens, Chom, ElKu, FSchmoede, Funen, GimelSec, Kaiziron, Kenshin, Lambda, MadWookie, MiloTruck, PPrieditis, Picodes, PwnedNoMore, StErMi, Tadashi, TerrierLover, TomJ, Tomio, Wayne, Waze, _Adam, antonttc, apostle0x01, asutorufos, c3phas, codexploder, defsec, delfin454000, fatherOfBlocks, hake, hansfriese, hyh, joestakey, k, kenta, oyc_109, peritoflores, reassor, rfa, robee, sach1r0, simon135, slywaters, zer0dot
31.3363 USDC - $31.34
Currently, verify function takes too much gas on Address.isContract(signer)
Address.isContract(signer) = extcodesize will cause an unnecessary 2600 upfront gas cost on every transaction. While it can be avoided for majority of case where it is EOA wallet.
function verify( bytes32 orderHash, address signer, bytes32 r, bytes32 s, uint8 v, bytes32 domainSeparator ) internal view returns (bool) { // \x19\x01 is the standardized encoding prefix // https://eips.ethereum.org/EIPS/eip-712#specification bytes32 digest = keccak256(abi.encodePacked('\x19\x01', domainSeparator, orderHash)); if (Address.isContract(signer)) { // 0x1626ba7e is the interfaceId for signature contracts (see IERC1271) return IERC1271(signer).isValidSignature(digest, abi.encodePacked(r, s, v)) == 0x1626ba7e; } else { return recover(digest, r, s, v) == signer; } }
2600 gas on Address.isContract(signer) can be avoided by using Seaport implementation
https://github.com/ProjectOpenSea/seaport/blob/main/contracts/lib/SignatureVerification.sol
This reduce gas cost as show here https://forum.openzeppelin.com/t/a-collection-of-gas-optimisation-tricks/19966/5
Solidity 0.8.4 introduced custom errors. They are more gas efficient than revert strings, when it comes to deployment cost as well as runtime cost when the revert condition is met. Use custom errors instead of revert strings for gas savings.
Any require statement in your code can be replaced with custom error for example:
require(verifyMatchOneToManyOrders(buyOrderHash, false, sell, buy), 'order not verified');
Can be replaced with
// declare error before contract declaration error OrderNotVerified(); if(!verifyMatchOneToManyOrders(buyOrderHash, false, sell, buy)) revert OrderNotVerified();