Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 198
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 164
League: ETH
Rank: 142/198
Findings: 1
Award: $18.87
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: AkshaySrivastav
Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xA5DF, 0xDecorativePineapple, 0xNazgul, 0xSky, 0xSmartContract, 0xbepresent, 0xf15ers, 0xmatt, 2997ms, Aeros, Aymen0909, B2, Bahurum, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, Diraco, Dravee, ElKu, Funen, IllIllI, JC, JLevick, JohnSmith, JohnnyTime, KIntern_NA, Lambda, Margaret, MasterCookie, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, SooYa, StevenL, TomJ, Tomo, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, async, ayeslick, aysha, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, cccz, ch13fd357r0y3r, chatch, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dic0de, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, gogo, got_targ, hansfriese, ignacio, ikbkln, indijanc, innertia, joestakey, karanctf, ladboy233, leosathya, lukris02, martin, medikko, millersplanet, nalus, natzuu, neko_nyaa, neumo, obront, oyc_109, pcarranzav, peanuts, pedr02b2, pedroais, peiw, peritoflores, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, rokinot, romand, rotcivegaf, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, sorrynotsorry, supernova, tibthecat, tnevler, ubermensch, yongskiws, zzykxx, zzzitron
18.8655 USDC - $18.87
Ownable.solThe contracts mentioned above import the Ownable.sol OZ contract without using it.
The AccessProtected.sol implements its own access control functionality and it doesn’t inherit from Ownable.sol neither it used any of its functions.
The VTVLVesting.sol inherits AccessProtected.sol and uses its access control logic. There is no need to import Ownable.sol since it doesn’t use any of its functions or modifiers.
To improve readability and avoid confusion, consider removing unused imports.
VTVLVesting.sol (withdraw function)The withdraw function reverts in case allowance > usrClaim.amountWithdrawn, in case allowance = usrClaim.amountWithdrawn, it continues its execution calculating the amountRemaining, then transferring the tokens to the recipient.
A user might call this function mistakenly twice in a short period of time which will lead to allowance = usrClaim.amountWithdrawn and amountRemaining = 0.
The require won’t be triggered and the function will continue its execution adding and removing the number 0 from storage variables and calling the safeTransfer function with 0 as a parameter.
These extra opcodes will consume more gas from the user which could be avoided.
Don’t continue the withdraw function execution in case the allowance = usrClaim.amountWithdrawn to save gas for users.
Change the following line of code:
require(allowance > usrClaim.amountWithdrawn, "NOTHING_TO_WITHDRAW");
To:
require(allowance >= usrClaim.amountWithdrawn, "NOTHING_TO_WITHDRAW");