Back to LeoS's contests

Fraxlend (Frax Finance) contest - LeoS's results

Fraxlend: A permissionless lending platform and the final piece of the Frax Finance Defi Trinity.

General Information

Platform: Code4rena

Start Date: 12/08/2022

Pot Size: $50,000 USDC

Total HM: 15

Participants: 120

Period: 5 days

Judge: Justin Goro

Total Solo HM: 6

Id: 153

League: ETH

Frax Finance

Findings Distribution

Researcher Performance

Rank: 53/120

Findings: 2

Award: $67.08

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFrax Finance

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xSmartContract, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, EthLedger, Funen, IllIllI, JC, Junnon, Lambda, LeoS, MiloTruck, Noah3o6, PaludoX0, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, SaharAP, Sm4rty, SooYa, The_GUILD, TomJ, Waze, Yiko, _Adam, __141345__, a12jmx, ak1, asutorufos, auditor0517, ayeslick, ballx, beelzebufo, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, cccz, cryptonue, cryptphi, d3e4, delfin454000, dipp, djxploit, durianSausage, dy, erictee, fatherOfBlocks, gogo, gzeon, hyh, ignacio, kyteg, ladboy233, medikko, mics, minhquanym, oyc_109, pfapostol, rbserver, reassor, ret2basic, robee, sach1r0, simon135, sryysryy, tabish, yac, yash90, zzzitron

Awards

45.8923 USDC - $45.89

Labels

bug
QA (Quality Assurance)
edited-by-warden

External Links

Link to GitHub issue

Low Risk

[L-01] Floating pragma.

It's a good practice to avoid the use of floating pragma. Code must be compiled with the same version it as been tested the most. It also avoids the use of any nightly builds, which can have unexpected and unknown behaviors.

9 instances

Consider replacing ^0.8.15 by 0.8.15.

[L-02] Missing check for address(0) when assigning value to address state variable.

Zero address checking is the best practice to prevent the redeployment of the contract in case of a typo or an error in deploying.

1 instances:

Consider checking that anay of them is == address(0).

[L-03] The use of _mint() is discouraged

The use of _safeMind() instead of _mint() can prevent tokens from being lost and is from a documentation point of view a better practice.

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/d4d8d2ed9798cc3383912a23b5e8d5cb602f7d4b/contracts/token/ERC721/ERC721.sol#L271

2 instances:

Consider replacing _mint() by _safemind().

Non Critical

[N-01] Typo.

Consider these changes:

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0xA5DF, 0xDjango, 0xNazgul, 0xSmartContract, 0xackermann, 0xbepresent, 0xc0ffEE, 0xkatana, 2997ms, Amithuddar, Aymen0909, Bnke0x0, Chinmay, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, ElKu, EthLedger, Fitraldys, Funen, IgnacioB, JC, Junnon, Lambda, LeoS, Metatron, MiloTruck, Noah3o6, NoamYakov, PaludoX0, Randyyy, ReyAdmirado, Rohan16, Rolezn, Ruhum, SaharAP, Sm4rty, SooYa, TomJ, Tomio, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, ballx, brgltd, c3phas, cRat1st0s, carlitox477, chrisdior4, d3e4, delfin454000, dharma09, djxploit, durianSausage, erictee, fatherOfBlocks, find_a_bug, flyx, francoHacker, gerdusx, gogo, gzeon, hakerbaya, ignacio, jag, kyteg, ladboy233, ltyu, m_Rassska, medikko, mics, mrpathfindr, newfork01, nxrblsrpr, oyc_109, pfapostol, rbserver, reassor, ret2basic, robee, sach1r0, saian, simon135, sryysryy, zeesaw

Awards

21.1859 USDC - $21.19

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

[G-01] Index increment can be left uncheck in for loop

For solidity ^0.8.0 there is an overflow check on each increment operation. This check is not needed in those for or while loop, since it can't overflow.

9 instances:

Consider removing i++ or ++i and replacing it by unchecked { ++i; } at the end of the loop. Transforming i++ to ++i is also cheaper.

[G-02] Expression like x = x + y are cheaper than x += y for states variables.

22 instances:

Consider replacing += and -=.

[G-03] Unnecessary initialization of variables.

int, uint, bool and address are initialized by default with 0, 0, false and address(0). It is not necessary to initialize these values again.

uint256 i =  0 ; -> uint256 i;

11 instances:

Consider shortening these initializations.

save 3 gas each

[G-04] .length should not be called in every loop.

A cached length is more expensive to store, but cheaper to create. So if the length is called a lot of time, it is a good practice to cache it.

7 instances:

Consider caching the length before the loop.

Cost 100 gas to store the length, but save 3 gas each loop by not calling it.

[G-05] Multiple access of an array should use a local variable cache.

Accessing a value in an array costs a lot of gas, if the same index is called multiple times, it's a good practice to cache it.

2 instances: https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPair.sol#L291-L293 https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPair.sol#L310-L312

Consider caching these values.

Save 42 gas each call

[G-06] external function for the owner can be marked as payable.

If a function is guaranteed to revert when called by a normal user, this function can be marked as payable to avoid the check to know if a payment is provided.

7 instances:

Consider adding payable keyword.

Save 21 gas cost each

[G-07] Short reverted strings can save gas.

Reverted strings which are longer than 32 bytes require at least one additional mstore and so consume more gas than a shorter.

8 instances:

Consider shortening the revert strings to fit within 32 bytes, or using custom errors.

Save deployment cost or runtime cost when the condition is met.

[G-08] Usage of uint/int smaller than 32 bytes can cause overhead.

To optimize gas, it's a good practice to use only 32 bytes uint/int. The EVM operates on 32 bytes, if an element is smaller than that, the EVM needs to transform it to 32 bytes, which costs gas. This cost reduction usually outweighs the gain of a properly sized element.

45 instances:

Consider changing those data types.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter