Platform: Code4rena
Start Date: 09/11/2021
Pot Size: $75,000 USDC
Total HM: 57
Participants: 27
Period: 7 days
Judge: alcueca
Total Solo HM: 49
Id: 52
League: ETH
Rank: 18/27
Findings: 2
Award: $376.69
🌟 Selected for report: 3
🚀 Solo Findings: 0
🌟 Selected for report: ye0lde
Also found by: Meta0xNull, defsec, pants, pauliax
21.2455 USDC - $21.25
Meta0xNull
Open TODOs can hint at programming or architectural errors that still need to be fixed.
https://github.com/code-423n4/2021-11-vader/blob/main/contracts/dex/pool/BasePool.sol#L163 https://github.com/code-423n4/2021-11-vader/blob/main/contracts/dex/math/VaderMath.sol#L80 https://github.com/code-423n4/2021-11-vader/blob/main/contracts/dex/pool/VaderPool.sol#L85 https://github.com/code-423n4/2021-11-vader/blob/main/contracts/dex/pool/VaderPool.sol#L93 More...
Manual Review
Fix TODOs and Remove it
#0 - SamSteinGG
2021-11-25T12:22:31Z
Duplicate #102
🌟 Selected for report: Meta0xNull
161.9075 USDC - $161.91
Meta0xNull
setRewardsDuration() Does Not Validate Input _rewardsDuration and thus Owner able to Input 0.
Then some Calculation in notifyRewardAmount() will fail since rewardsDuration = 0 now: rewardRate = reward.div(rewardsDuration) rewardRate = reward.add(leftover).div(rewardsDuration);
https://github.com/code-423n4/2021-11-vader/blob/main/contracts/staking-rewards/StakingRewards.sol#L166-L173 https://github.com/code-423n4/2021-11-vader/blob/main/contracts/staking-rewards/StakingRewards.sol#L130-L142
Manual Review
In setRewardsDuration(), Add: require(_rewardsDuration > 0, "Reward Duation Can't Be Zero");
#0 - 0xstormtrooper
2021-11-16T02:09:58Z
There might be a case where rewardsDuration should be 0.
🌟 Selected for report: Reigada
Also found by: Meta0xNull, pants, pauliax
12.5116 USDC - $12.51
Meta0xNull
The local variable used as for loop index need not be initialized to 0 because the default value is 0. Avoiding this anti-pattern can save a few opcodes and therefore a tiny bit of gas.
https://github.com/code-423n4/2021-11-vader/blob/main/contracts/governance/GovernorAlpha.sol#L437 https://github.com/code-423n4/2021-11-vader/blob/main/contracts/tokens/vesting/LinearVesting.sol#L72
Manual Review
Remove explicit 0 initialization of for loop index variable.
Before: for (uint256 i = 0; After: for (uint256 i;
#0 - SamSteinGG
2021-11-20T06:49:07Z
Duplicate of #82
🌟 Selected for report: Meta0xNull
68.651 USDC - $68.65
Meta0xNull
If data can fit into 32 bytes, then you should use bytes32 datatype rather than string as it is much cheaper in solidity. Basically, Any fixed size variable in solidity is cheaper than variable size. That will save gas on the contract.
https://github.com/code-423n4/2021-11-vader/blob/main/contracts/governance/GovernorAlpha.sol#L30
Manual Review
bytes32 public constant name = "Vader Governor Alpha";
🌟 Selected for report: Meta0xNull
68.651 USDC - $68.65
Meta0xNull
Repeat SLOAD _pairs during the loop Save _pairs as pairData in Storage in loop Multiple SLOAD pairData within same loop
Storage SLOAD are more expensive than read local variables. The Gas Price Add Up during Loop is very very expensive.
https://github.com/code-423n4/2021-11-vader/blob/main/contracts/twap/TwapOracle.sol#L322-L368
Manual Review
Before the Loop Start, SLOAD _pairs and caching it once in a local variable _pairs_temp. Then use local variable _pairs_temp in the loop.
PairData _pairs_temp = _pairs;
#0 - SamSteinGG
2021-11-20T06:50:07Z
Duplicate of #94
#1 - alcueca
2021-12-10T14:44:11Z
Not a duplicate of #94
#2 - SamSteinGG
2021-12-22T07:40:13Z
The TWAP oracle module has been completely removed and redesigned from scratch as LBTwap that is subject of the new audit.
🌟 Selected for report: Reigada
Also found by: Meta0xNull, cmichel
43.715 USDC - $43.72
Meta0xNull
A wrong user input or wallets defaulting to the zero addresses for a missing input can lead to the contract needing to redeploy and wasted gas.
Manual Review
requires Addresses is not Zero.
require(_owner != address(0) && _rewardsDistribution != address(0) && _rewardsToken != address(0) && _stakingToken != address(0), "Address Can't Be Zero")
#0 - 0xstormtrooper
2021-11-16T01:10:38Z