Yield-Convex contest - Funen's results

Fixed-rate borrowing and lending on Ethereum

General Information

Platform: Code4rena

Start Date: 28/01/2022

Pot Size: $30,000 USDC

Total HM: 4

Participants: 22

Period: 3 days

Judge: GalloDaSballo

Total Solo HM: 2

Id: 80

League: ETH

Yield

Findings Distribution

Researcher Performance

Rank: 12/22

Findings: 1

Award: $125.22

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Yield

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: Funen, IllIllI, TomFrenchBlockchain, Tomio, WatchPug, defsec, throttle

Labels

bug

duplicate

G (Gas Optimization)

Awards

5.6804 USDC - $5.68

External Links

Link to GitHub issue

Handle

Funen

Vulnerability details

https://github.com/code-423n4/2022-01-yield/blob/main/contracts/ConvexStakingWrapper.sol#L41-L45

curveToken , convexToken , convexpool , collateralVault , convexPoolId comment was used immutable, but actual code not using immutable. immutable can saving more gas

## Recommended Mitigation Steps

    address public curveToken;
    address public convexToken;
    address public convexPool;
    address public collateralVault;
    uint256 public convexPoolId;

changed to

    address public immutable curveToken;
    address public immutable convexToken;
    address public immutable convexPool;
    address public immutable collateralVault;
    uint256 public immutable convexPoolId;

#0 - devtooligan
2022-02-01T02:17:34Z

dup of #42

Findings Information

🌟 Selected for report: robee

Also found by: 0x1f8b, Dravee, Funen, IllIllI, defsec, throttle

Labels

bug

duplicate

G (Gas Optimization)

Awards

7.2132 USDC - $7.21

External Links

Link to GitHub issue

Handle

Funen

Vulnerability details

Impact

Using i++ instead ++i for all the loops, the variable i is incremented using i++. It is known that implementation by using ++i costs less gas per iteration than i++.

##POC

by seen the disscussion here : https://github.com/ethereum/solidity/issues/10695

Occurance

contracts/ConvexStakingWrapper.sol/L115:
contracts/ConvexStakingWrapper.sol/L287:
contracts/ConvexStakingWrapper.sol/L271:
contracts/ConvexStakingWrapper.sol/L315:
contracts/ConvexYieldWrapper.sol/L63:
contracts/ConvexYieldWrapper.sol/L80: contracts/ConvexYieldWrapper.sol/L111:

#0 - iamsahu
2022-02-01T03:48:48Z

#14 #50 #55 #59 #82 #97 #126

#1 - alcueca
2022-02-02T16:10:09Z

Duplicate of #14

Findings Information

🌟 Selected for report: WatchPug

Also found by: Funen, bitbopper, throttle

Labels

bug

duplicate

G (Gas Optimization)

Awards

17.3157 USDC - $17.32

External Links

Link to GitHub issue

Handle

Funen

Vulnerability details

Impact

Expensive gas

Proof of Concept

https://github.com/code-423n4/2022-01-yield/blob/main/contracts/ConvexStakingWrapper.sol#L52-L55

Declaring 3 bool variable is quite expensive for gas usage. Here the better implementation:

bool private _status = true;
    
    modifier nonReentrant() {
        // On the first call to nonReentrant, _notEntered will be true
        require(_status, "ReentrancyGuard: reentrant call");
        // Any calls to nonReentrant after this point will fail
        _status = false;
        _;
        // By storing the original value once again, a refund is triggered (see
        // https://eips.ethereum.org/EIPS/eip-2200)
        _status = true;
    }
    // save a lot of gas

#0 - iamsahu
2022-02-01T03:47:01Z

#133

#1 - alcueca
2022-02-02T16:58:39Z

Actually, #96 has a better solution

Findings Information

🌟 Selected for report: Funen

Labels

bug

G (Gas Optimization)

resolved

sponsor confirmed

Awards

95.0104 USDC - $95.01

External Links

Link to GitHub issue

Handle

Funen

Vulnerability details

https://github.com/code-423n4/2022-01-yield/blob/main/contracts/ConvexStakingWrapper.sol#L94-L95

IERC20(curveToken).approve(convexBooster, 0);
IERC20(curveToken).approve(convexBooster, type(uint256).max);

curveToken was called mutiple times, caching it in memory , it can cost less gas

#0 - GalloDaSballo
2022-02-13T22:56:53Z

Agree with the finding, anytime you're reading from storage even just more than once, it's always cheaper to store in a memory variable

Yield-Convex contest - Funen's results

Fixed-rate borrowing and lending on Ethereum

General Information

Findings Distribution

Researcher Performance

External Links

Gas Report - $125.22

Gas Report - $125.22

[G-04] `immutable` can saving more gas - $5.68

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

## Recommended Mitigation Steps

#0 - devtooligan2022-02-01T02:17:34Z

[G-10] Using ++i instead i++ for saving more gas - $7.21

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Occurance

#0 - iamsahu2022-02-01T03:48:48Z

#1 - alcueca2022-02-02T16:10:09Z

[G-05] more efficient nonReentrant() modifier. - $17.32

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

#0 - iamsahu2022-02-01T03:47:01Z

#1 - alcueca2022-02-02T16:58:39Z

🚀 [G-16] caching curveToken in memory can cost less gas - $95.01

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

#0 - GalloDaSballo2022-02-13T22:56:53Z

#0 - devtooligan
2022-02-01T02:17:34Z

#0 - iamsahu
2022-02-01T03:48:48Z

#1 - alcueca
2022-02-02T16:10:09Z

#0 - iamsahu
2022-02-01T03:47:01Z

#1 - alcueca
2022-02-02T16:58:39Z

#0 - GalloDaSballo
2022-02-13T22:56:53Z