Platform: Code4rena
Start Date: 12/08/2022
Pot Size: $50,000 USDC
Total HM: 15
Participants: 120
Period: 5 days
Judge: Justin Goro
Total Solo HM: 6
Id: 153
League: ETH
Rank: 58/120
Findings: 2
Award: $67.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0x1f8b
Also found by: 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xSmartContract, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, EthLedger, Funen, IllIllI, JC, Junnon, Lambda, LeoS, MiloTruck, Noah3o6, PaludoX0, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, SaharAP, Sm4rty, SooYa, The_GUILD, TomJ, Waze, Yiko, _Adam, __141345__, a12jmx, ak1, asutorufos, auditor0517, ayeslick, ballx, beelzebufo, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, cccz, cryptonue, cryptphi, d3e4, delfin454000, dipp, djxploit, durianSausage, dy, erictee, fatherOfBlocks, gogo, gzeon, hyh, ignacio, kyteg, ladboy233, medikko, mics, minhquanym, oyc_109, pfapostol, rbserver, reassor, ret2basic, robee, sach1r0, simon135, sryysryy, tabish, yac, yash90, zzzitron
45.8419 USDC - $45.84
This fn can be used as modifier OnlyWhitelisted eversince to known a function was doesn't do anything unusual. Since Modifiers are code that can be run before and / or after a function call.
Modifiers can be used to: Restrict access Validate inputs Guard against reentrancy hack
on that side we can added as original boringERC20 used for, and adding :
bytes4 private constant SIG_TRANSFER = 0xa9059cbb; // transfer(address,uint256) bytes4 private constant SIG_TRANSFER_FROM = 0x23b872dd; // transferFrom(address,address,uint256)
since the creator was of @boringcrypto
This is not a full ERC20 implementation, as it's missing totalSupply. It's optimized for minimal gas usage while remaining easy to read.
So the implementation for safeTransfer & safeTransferFrom can be used. So for fn safeTransfer() and safeTransferFrom()
can used this implementation below to get it done (didn't need to import SafeERC20 as OZSafeERC20, which can optimize more) :
(bool success, bytes memory data) = address(token).call(abi.encodeWithSelector(SIG_TRANSFER, to, value)); require(success && (data.length == 0 || abi.decode(data, (bool))), "Transfer failed");
(bool success, bytes memory data) = address(token).call(abi.encodeWithSelector(SIG_TRANSFER_FROM, from, to, value)); require(success && (data.length == 0 || abi.decode(data, (bool))), "TransferFrom failed");
Source :
https://github.com/boringcrypto/BoringSolidity https://github.com/boringcrypto/BoringSolidity/blob/master/contracts/libraries/BoringERC20.sol
in this line of source, needed to be checked if the _recipient was not getting zero addresess.
for best practice, since a = a + 1, can be changed into a += 1.
Files :
share += 1; // or share++;
amount += + 1; // or amount++
Source :
https://www.geeksforgeeks.org/solidity-operators/
This can be changed by using i++ or ++i instead.
Since DEFAULT_LIQ_FEE was set to be // 0% with 1e5 precision. It can be changed by using 1e4 rather than 10000
uint256 public DEFAULT_LIQ_FEE = 10000; // 10% with 1e5 precision
Files :
f(utilization) // f can be deleted
Since it was used ^0.8.15. As the compiler can be use for example 0.8.x and consider locking at this version the same as another. It can be consider using locking the pragma version whenever possible and avoid using a floating pragma in the final deployment. Since it can be problematic, if there are publicly disclosed bugs and issues that affect the current compiler version used.
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0xA5DF, 0xDjango, 0xNazgul, 0xSmartContract, 0xackermann, 0xbepresent, 0xc0ffEE, 0xkatana, 2997ms, Amithuddar, Aymen0909, Bnke0x0, Chinmay, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, ElKu, EthLedger, Fitraldys, Funen, IgnacioB, JC, Junnon, Lambda, LeoS, Metatron, MiloTruck, Noah3o6, NoamYakov, PaludoX0, Randyyy, ReyAdmirado, Rohan16, Rolezn, Ruhum, SaharAP, Sm4rty, SooYa, TomJ, Tomio, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, ballx, brgltd, c3phas, cRat1st0s, carlitox477, chrisdior4, d3e4, delfin454000, dharma09, djxploit, durianSausage, erictee, fatherOfBlocks, find_a_bug, flyx, francoHacker, gerdusx, gogo, gzeon, hakerbaya, ignacio, jag, kyteg, ladboy233, ltyu, m_Rassska, medikko, mics, mrpathfindr, newfork01, nxrblsrpr, oyc_109, pfapostol, rbserver, reassor, ret2basic, robee, sach1r0, saian, simon135, sryysryy, zeesaw
21.1705 USDC - $21.17
#GAS OPT
Files :
uint256 public DEFAULT_MAX_LTV = 75000; // 75% with 1e5 precision uint256 public GLOBAL_MAX_LTV = 1e8; // 1000x (100,000%) with 1e5 precision, protects from rounding errors in LTV calc uint256 public DEFAULT_LIQ_FEE = 10000; // 10% with 1e5 precision
Every reason string takes at least 32 bytes. Use short reason strings that fits in 32 bytes or it will become more expensive.
File :
/main/src/contracts/FraxlendPairDeployer.sol#L253 "FraxlendPairDeployer: Pair name must be unique" /main/src/contracts/FraxlendPairDeployer.sol#L365 "FraxlendPairDeployer: _maxLTV is too large" /main/src/contracts/FraxlendPairDeployer.sol#L368 "FraxlendPairDeployer: Only whitelisted addresses
Custom errors can be used from Solidity 0.8.4 are cheaper than revert strings. Its cheaper deployment cost and runtime cost when the revert condition is met.
Files :