Platform: Code4rena
Start Date: 26/05/2022
Pot Size: $75,000 USDT
Total HM: 31
Participants: 71
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 18
Id: 126
League: ETH
Rank: 20/71
Findings: 2
Award: $990.30
๐ Selected for report: 1
๐ Solo Findings: 0
๐ Selected for report: GalloDaSballo
Also found by: IllIllI
937.187 USDT - $937.19
veTokenMinter allows any operator to mint new tokens, that's fine in the context of it being used for:
VeAssetDepositor deposit for the user and mintBooster mint reward tokensHowever because of the open ended system that allows any address to be set as operator, the system allows the admin to set themselves as the operator and to mint an excess amount of tokens, diluting other users.
Because this seems to be used exclusively by the VeAssetDepositor and the Booster hardcoding these two addresses would provide stronger security guarantees
addOperator(malicious, {"from": gov})
mint(malicious, AMOUNT, {"from": malicious})
Set the minters as immutable to provide stronger security guarantees
#0 - jetbrain10
2022-06-15T16:41:20Z
admin will be controlled by DAO to prevent this happen
#1 - GalloDaSballo
2022-07-25T00:31:25Z
Because am judging the contest am forfeiting any winnings.
I do believe that the system would be best if the minters where hardcoded (it would also save gas)
๐ Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, Cityscape, Dravee, ElKu, FSchmoede, Funen, GalloDaSballo, Hawkeye, Kaiziron, MiloTruck, Randyyy, RoiEvenHaim, Ruhum, SecureZeroX, SmartSek, TerrierLover, TomJ, Tomio, WatchPug, Waze, _Adam, asutorufos, c3phas, catchup, cogitoergosumsw, delfin454000, ellahi, fatherOfBlocks, gzeon, hansfriese, horsefacts, jonatascm, minhquanym, oyc_109, pauliax, reassor, robee, sach1r0, saian, sashik_eth, simon135, z3s
53.1114 USDT - $53.11
rewardFactory is never changed, making it immutable will save 2.1k gas for each time it is read for the first time.
This type of gas saving is the biggest you can have.
In this constructor call you're setting isShutdown = false;, by default bool values will be false so this assignment will cost extra gas.
This used to save 800 gas but I believe it saves 100 gas now
Cache var to avoid length check, this will save 3 gas per iteration
For loop iterations, you can save 3 gas with pre-increment and almost 20 gas per iteration with
unchecked { ++i }
See an example of how to code it here: https://github.com/GalloDaSballo/badger-onchain-rewards/blob/ececa503bcc388786bf68d4e12601c834917ed67/contracts/RewardsManager.sol#L391
#0 - GalloDaSballo
2022-07-14T02:04:34Z
Saves 2.1k rest is poorly developed