Back to MaratCerby's contests

Rubicon contest - MaratCerby's results

An order book protocol for Ethereum, built on L2s.

General Information

Platform: Code4rena

Start Date: 23/05/2022

Pot Size: $50,000 USDC

Total HM: 44

Participants: 99

Period: 5 days

Judge: hickuphh3

Total Solo HM: 11

Id: 129

League: ETH

Rubicon

Findings Distribution

Researcher Performance

Rank: 36/99

Findings: 6

Award: $224.38

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRubicon

Findings Information

🌟 Selected for report: xiaoming90

Also found by: GimelSec, IllIllI, MaratCerby, PP1004, WatchPug, berndartmueller, blockdev, ilan

Labels

bug
duplicate
2 (Med Risk)

Awards

42.6857 USDC - $42.69

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L202-L206 https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L274-L278 https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconRouter.sol#L366 https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathHouse.sol#L157-L161 https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathHouse.sol#L172-L176

Vulnerability details

Impact

Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered. It is required to find out contract balance increase/decrease after the transfer to allow fee-on-transfer tokens or forbid non-standard tokens. This pattern also prevents from re-entrancy attack vector.

Proof of Concept

POC (re-entrancy for fee-on-transfer tokens):

  1. Contract calls transfer from contractA 100 tokens to current contract
  2. Current contract thinks it received 100 tokens
  3. It updates internal balance sheet +100 tokens
  4. While actually contract received only 90 tokens
  5. That breaks whole math for given token
  6. Now imagine some fake token which does not send anything Attacker could run re-entrancy and boosting deposits in the storage while transferring nothing. At the end drain tokenOut (if it is DEX) or withdraw something else based on large deposit.

Tools Used

There are several possible scenarios to prevent that.

  1. Check how much contract balance is increased/decreased after every transfer (costs more gas)
  2. Make a separate contract that checks if the token has fee-on-transfer and store bool value depending on the result. If there is fee-on-transfer you can throw a require not allowing to use such token in the system while still saving lots of gas checking it only once. Or if you still want to allow fee-on-transfer tokens, amount variable must be updated to the balance difference after and before transfer.

Recommended example code:

enum FeeOnTransferStatuses{ NOT_INITIALIZED, HAS_FEE_ON_TRANSFER, DOES_NOT_HAVE_FEE_ON_TRANSFER }
mapping(IERC20 => FeeOnTransferStatuses) doesThisContractHaveFeeOnTransfer;
error FeeOnTransferTokensAreForbidden();
...
function deposit(IERC20 token, address from, uint256 amount) public {

    // reverting for fee-on-transfer tokens
    if (doesThisContractHaveFeeOnTransfer[token] == FeeOnTransferStatuses.HAS_FEE_ON_TRANSFER) {
        revert FeeOnTransferTokensAreForbidden();
    }

    // NOT_INITIALIZED is the default value == 0
    if (doesThisContractHaveFeeOnTransfer[token] == FeeOnTransferStatuses.NOT_INITIALIZED) {
        uint256 balanceBefore = token.balanceOf(address(this)); // remembering asset balance before the transfer
        token.safeTransferFrom(from, address(this), amount);
        uint256 balanceAfter = token.balanceOf(address(this));

        // making sure exactly amount was transferred
        if (balanceAfter != balanceBefore + amount) {            
            revert FeeOnTransferTokensAreForbidden();
        }

        // IMPORTANT! if you allow fee-on-transfer tokens make sure to update amount with the actual balance increase/decrease
        // or make sure balanceAfter - balanceBefore == amount using require
        // amount = balanceAfter - balanceBefore; // commented because we skip fee-on-transfer tokens above

        doesThisContractHaveFeeOnTransfer[token] = FeeOnTransferStatuses.DOES_NOT_HAVE_FEE_ON_TRANSFER; // making sure to not enter this if clause anymore for given token
    } else {
        // token does not have fee-on-transfer here
        token.safeTransferFrom(from, address(this), amount);
    }

    // no re-entrancy vector attack below here 
    // amount is set to exactly how much contract balance was increased

    registerDeposit(from, amount); 
}

#0 - bghughes

2022-06-03T20:42:59Z

Duplicate of #316

#1 - HickupHH3

2022-06-15T13:02:25Z

Duplicate of #112 because it is about FoT

#2 - HickupHH3

2022-06-16T08:06:22Z

A good auditor provides meaningful context and explanation to the issue. The consensus is that we shouldn't be rewarding wardens who do not put in the effort to help the sponsors understand issues raised, compared to other submissions that actually do.

Hence, I would've marked this as QA because the POC and example code is generic and isn't customized. However, in the spirit of fairness to the numerous duplicates regarding another issue about checking ERC20 return values, I will leave things the way they are this time around.

Findings Information

🌟 Selected for report: kenzo

Also found by: 0x1f8b, 0xsomeone, Dravee, IllIllI, MaratCerby, berndartmueller, cryptphi, xiaoming90

Labels

bug
duplicate
2 (Med Risk)

Awards

42.6857 USDC - $42.69

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L157 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L165 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L180 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L214 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L256 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L689 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L744

Vulnerability details

Impact

a. ERC20 standard allows approve function of some contracts to return bool or return nothing Using safeApprove of SafeERC20.sol is recommended instead.

b. Approval must be set to zero and after that increased to the amount you need. Some of the tokens such as USDT require that. Please read more information here: https://www.adrianhetman.com/unboxing-erc20-approve-issues/

Proof of Concept

Tools Used

#0 - bghughes

2022-06-03T20:43:41Z

Duplicate of #316

#1 - HickupHH3

2022-06-23T15:19:53Z

Weak duplicate of #100

Findings Information

🌟 Selected for report: WatchPug

Also found by: Chom, Dravee, Hawkeye, MaratCerby, Ruhum, csanuragjain, fatherOfBlocks, minhquanym

Labels

bug
duplicate
2 (Med Risk)
upgraded by judge

Awards

42.6857 USDC - $42.69

External Links

Link to GitHub issue

Judge has assessed an item in Issue #27 as Medium risk. The relevant finding follows:

#0 - HickupHH3

2022-06-27T14:00:49Z

isClosed always returns false, consider removing it because it makes no sense. dup of #148

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1337, 0x1f8b, 0x4non, 0xDjango, 0xKitsune, 0xNazgul, 0xf15ers, ACai, AlleyCat, Bahurum, BouSalman, CertoraInc, Chom, Dravee, ElKu, FSchmoede, Funen, GimelSec, Hawkeye, JC, JMukesh, Kaiziron, MaratCerby, Metatron, PP1004, Picodes, Ruhum, SmartSek, StErMi, TerrierLover, UVvirus, UnusualTurtle, WatchPug, Waze, _Adam, asutorufos, berndartmueller, blackscale, blockdev, broccolirob, c3phas, catchup, cryptphi, csanuragjain, defsec, delfin454000, dipp, eccentricexit, ellahi, fatherOfBlocks, gzeon, hansfriese, horsefacts, hubble, ilan, joestakey, kebabsec, minhquanym, oyc_109, parashar, pauliax, rotcivegaf, sach1r0, sashik_eth, shenwilly, simon135, sorrynotsorry, sseefried, throttle, unforgiven, xiaoming90

Awards

52.8093 USDC - $52.81

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Impact

[1] isClosed always returns false, consider removing it because it makes no sense.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L452-L473

Proof of Concept

Tools Used

Impact

[2] Using if (val) is easier to read rather than if (val == true). Using if (!val) is easier to read rather than if (val == false). Consider updating all occurrences.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L372
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#Lundefined
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L228

Proof of Concept

Tools Used

Impact

[3] By default, function types and state variables/constants are internal, so the internal keyword can be omitted.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L194
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L197
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L35
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L43

Proof of Concept

Tools Used

Impact

[4] Using x != 0 uses 6 less gas than x > 0. Consider changing all "greater than zero" comparisons to "not equal to zero".

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L233
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L837
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L876
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L918
  5. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L942
  6. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L1099
  7. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L1100
  8. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L1217
  9. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/BathBuddy.sol#L102
  10. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/Address.sol#L36
  11. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/Address.sol#L240
  12. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/UpgradeableProxy.sol#L30
  13. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L232
  14. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L252
  15. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L515
  16. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L523
  17. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L597
  18. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L611
  19. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L634

Proof of Concept

Tools Used

Impact

[5] Magic number, consider using named constant instead.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L401
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L403
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#Lundefined
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L857
  5. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L859
  6. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L898
  7. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L900
  8. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L927
  9. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L929
  10. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L951
  11. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L953
  12. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L175
  13. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/TokenWithFaucet.sol#L35
  14. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/TokenWithFaucet.sol#L44
  15. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/TokenWithFaucet.sol#L51
  16. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#Lundefined
  17. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#Lundefined
  18. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#Lundefined
  19. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L556
  20. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L421
  21. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L451
  22. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L725

Proof of Concept

Tools Used

Impact

[6] Replacing "_msgSender()" to "msg.sender" will save gas.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L131
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L161
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L186
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L187
  5. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L213
  6. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L215
  7. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L240
  8. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L242

Proof of Concept

Tools Used

Impact

[7] Consider using "_" separate digit capacity i.e "100000" could be replaced to "100_000". This increases code readability.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L296
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/SafeMathE.sol#L23
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/SafeMathE.sol#L24

Proof of Concept

Tools Used

Impact

[8] Consider using IERC20 type instead of address. Or IERC20[] type instead of address[].

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/BathBuddy.sol#L81
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/BathBuddy.sol#L99
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/BathBuddy.sol#L133
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/VestingWallet.sol#L83
  5. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/VestingWallet.sol#L104
  6. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/VestingWallet.sol#L127
  7. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L60
  8. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L66
  9. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L67
  10. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L68
  11. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L70
  12. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L76
  13. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L79
  14. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L101
  15. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L153
  16. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L179
  17. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L217
  18. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L286
  19. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L294
  20. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L294
  21. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L302
  22. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L310
  23. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L319
  24. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L327
  25. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L218
  26. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L221
  27. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L325
  28. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L338
  29. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L339
  30. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L413
  31. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L442
  32. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L465
  33. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L500
  34. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L503
  35. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L537
  36. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L538
  37. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L77

Proof of Concept

Tools Used

Impact

[9] Uint8-256 / Int8-256 is assigned to zero by default, additional reassignment to zero is unnecessary.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L990
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L82
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L83
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L168

Proof of Concept

Tools Used

Impact

[10] The value like "10256 - 1" (or "10128 - 1") could be replaced to "type(uint256).max" (or "type(uint128).max") accordingly.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L157
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L214
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L256
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L421
  5. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L451

Proof of Concept

Tools Used

Impact

[11] Events are usually named in present tense such as TokenTransfer. Consider renaming this event to OfferDelete.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L180

Proof of Concept

Tools Used

Impact

[12] Better way to initialize structs is

    uint256 x1;
    uint256 x2;
}
Something memory smth = Something({x1: 123, x2: 321});```

Affected code:
1. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L406-L412


## Proof of Concept  
  
## Tools Used  
  
## Recommended Mitigation Steps

---


## Impact 
[13] IF nesting could be reduced here by having early return/continue.

Affected code:
1. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L849-L863
2. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L888-L904
3. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L1009-L1033
4. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L494-L501
5. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L634-L652
6. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathPair.sol#L230-L267
7. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathHouse.sol#L371-L378


## Proof of Concept  
  
## Tools Used  
  
## Recommended Mitigation Steps

---

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xf15ers, 0xkatana, Chom, DavidGialdi, Dravee, ElKu, FSchmoede, Fitraldys, Funen, GimelSec, JC, Kaiziron, MaratCerby, Metatron, MiloTruck, Picodes, Randyyy, RoiEvenHaim, SmartSek, Tomio, UnusualTurtle, WatchPug, Waze, _Adam, antonttc, asutorufos, berndartmueller, blackscale, blockdev, c3phas, catchup, csanuragjain, defsec, delfin454000, ellahi, fatherOfBlocks, gzeon, hansfriese, ilan, joestakey, minhquanym, oyc_109, pauliax, pedroais, reassor, rfa, rotcivegaf, sach1r0, samruna, sashik_eth, simon135, z3s

Awards

43.4023 USDC - $43.40

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Impact

[1] Token decimals is a constant parameter that never changes. Consider caching it.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/TokenWithFaucet.sol#L44
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/TokenWithFaucet.sol#L51
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L211

Proof of Concept

Tools Used

Impact

[2] Consider using optimized for-loop and apply the following optimizations:

  1. cache <array>.length into local variable to avoid looking up every for-loop iteration.
  2. using ++i consumes 5 less gas than i++ (same applies to --i)
  3. don't initialize uint256 i = 0; instead use the default value uint256 i;
  4. make sure to specify uint256 type instead of uint type for readability

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L85
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L169
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L311
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L427
  5. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L480
  6. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L582
  7. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L635

Proof of Concept

Tools Used

Impact

[3] Splitting && conditions into several require statements saves gas.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L716
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L1178
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L122
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L333
  5. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L347
  6. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L420
  7. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L472
  8. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L507
  9. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L741

Proof of Concept

Tools Used

Impact

[4] Using ++x uses 5 less gas than x++ (same applies to --x). Consider changing all "x++" operators to "++x" (same applies to --x).

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L436
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L206

Proof of Concept

Tools Used

Impact

[5] The power of 10 numbers such as "10**18" could be rendered as "1e18".

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L73
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L74
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L857
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L859
  5. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L898
  6. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L900
  7. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L927
  8. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L929
  9. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L951
  10. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L953

Proof of Concept

Tools Used

Impact

[6] You can upgrade to 0.8.4 solidity version it supports new custom errors. Custom errors are reducing 38 gas if condition is met and 22 gas otherwise. Also reduces contract size and deployment costs.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L28
  2. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L46
  3. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L50
  4. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L54
  5. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L282
  6. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L283
  7. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L297
  8. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L304
  9. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L308
  10. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L552
  11. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L571
  12. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L572
  13. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L618
  14. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L645
  15. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L661
  16. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L684
  17. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L701
  18. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L714
  19. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L835
  20. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L874
  21. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L185
  22. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/BathBuddy.sol#L43
  23. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/BathBuddy.sol#L94
  24. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L269
  25. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L270
  26. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L292
  27. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L313
  28. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L343
  29. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/ERC20.sol#L344
  30. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/SafeMathE.sol#L9
  31. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/SafeMathE.sol#L13
  32. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/SafeMathE.sol#L17
  33. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/VestingWallet.sol#L38
  34. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/WETH9.sol#L74
  35. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/WETH9.sol#L77
  36. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/Address.sol#L56
  37. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/Address.sol#L63
  38. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/Address.sol#L145
  39. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/Address.sol#L149
  40. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/Address.sol#L188
  41. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/Address.sol#L224
  42. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/TransparentUpgradeableProxy.sol#L113
  43. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/TransparentUpgradeableProxy.sol#L174
  44. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/proxy/UpgradeableProxy.sol#L79
  45. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L143
  46. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L147
  47. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L156
  48. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L171
  49. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L237
  50. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L241
  51. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L395
  52. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L397
  53. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L403
  54. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L409
  55. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L120
  56. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L148
  57. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L174
  58. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L182
  59. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L318
  60. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L332
  61. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L346
  62. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L419
  63. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L471
  64. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L506
  65. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathPair.sol#L570
  66. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L227
  67. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L235
  68. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L470
  69. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L510
  70. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L516
  71. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L547
  72. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L722
  73. https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L740

Proof of Concept

Tools Used

Impact

[7] uint32 is enough to store timestamp.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L205

Proof of Concept

Tools Used

Impact

[8] It is better to use uint256 for locked variable and set it 1 for unlocked state and to 2 for locked stake or use enums for that. That way you will reduce runtime gas usage for locking/unlocking.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L225-L230

Proof of Concept

Tools Used

Impact

[9] Using storage keyword here can save up-to 700 gas here.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L250
  2. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L279
  3. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/RubiconMarket.sol#L358

Proof of Concept

Tools Used

Impact

[10] Using struct array will allow you to avoid length checks.

Affected code:

  1. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathPair.sol#L412-L424
  2. https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathPair.sol#L463-L477

Proof of Concept

Tools Used

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter