Fraxlend (Frax Finance) contest - Noah3o6's results

Fraxlend: A permissionless lending platform and the final piece of the Frax Finance Defi Trinity.

General Information

Platform: Code4rena

Start Date: 12/08/2022

Pot Size: $50,000 USDC

Total HM: 15

Participants: 120

Period: 5 days

Judge: Justin Goro

Total Solo HM: 6

Id: 153

League: ETH

Frax Finance

Findings Distribution

Researcher Performance

Rank: 56/120

Findings: 2

Award: $67.04

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Frax Finance

Findings Information

🌟 Selected for report: 0x1f8b

Also found by: 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xSmartContract, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, CertoraInc, Chom, CodingNameKiki, Deivitto, Dravee, ElKu, EthLedger, Funen, IllIllI, JC, Junnon, Lambda, LeoS, MiloTruck, Noah3o6, PaludoX0, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, SaharAP, Sm4rty, SooYa, The_GUILD, TomJ, Waze, Yiko, _Adam, __141345__, a12jmx, ak1, asutorufos, auditor0517, ayeslick, ballx, beelzebufo, berndartmueller, bin2chen, brgltd, c3phas, cRat1st0s, cccz, cryptonue, cryptphi, d3e4, delfin454000, dipp, djxploit, durianSausage, dy, erictee, fatherOfBlocks, gogo, gzeon, hyh, ignacio, kyteg, ladboy233, medikko, mics, minhquanym, oyc_109, pfapostol, rbserver, reassor, ret2basic, robee, sach1r0, simon135, sryysryy, tabish, yac, yash90, zzzitron

Awards

45.8341 USDC - $45.83

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

-> EVENT IS MISSING INDEXED FIELDS Each event should use three indexed fields if there are three or more fields.

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#:~:text=event%20UpdateRate(uint256%20_ratePerSec%2C%20uint256%20_deltaTime%2C%20uint256%20_utilizationRate%2C%20uint256%20_newRatePerSec)%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#:~:text=event%20RepayAsset(address%20indexed%20_sender%2C%20address%20indexed%20_borrower%2C%20uint256%20_amountToRepay%2C%20uint256%20_shares)%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#:~:text=event%20Liquidate(,uint256%20_amountToAdjust https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#:~:text=event%20LeveragedPosition(,uint256%20_amountCollateralOut

-> _SAFEMINT() SHOULD BE USED RATHER THAN _MINT() WHEREVER POSSIBLE

_mint() is discouraged in favor of _safeMint() which ensures that the recipient is either an EOA or implements IERC721Receiver

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#:~:text=_mint(address(this)%2C%20_feesShare)%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#:~:text=_mint(_receiver%2C%20_shares)%3B

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0xA5DF, 0xDjango, 0xNazgul, 0xSmartContract, 0xackermann, 0xbepresent, 0xc0ffEE, 0xkatana, 2997ms, Amithuddar, Aymen0909, Bnke0x0, Chinmay, Chom, CodingNameKiki, Deivitto, Diraco, Dravee, ElKu, EthLedger, Fitraldys, Funen, IgnacioB, JC, Junnon, Lambda, LeoS, Metatron, MiloTruck, Noah3o6, NoamYakov, PaludoX0, Randyyy, ReyAdmirado, Rohan16, Rolezn, Ruhum, SaharAP, Sm4rty, SooYa, TomJ, Tomio, Waze, Yiko, _Adam, __141345__, a12jmx, ajtra, ak1, asutorufos, ballx, brgltd, c3phas, cRat1st0s, carlitox477, chrisdior4, d3e4, delfin454000, dharma09, djxploit, durianSausage, erictee, fatherOfBlocks, find_a_bug, flyx, francoHacker, gerdusx, gogo, gzeon, hakerbaya, ignacio, jag, kyteg, ladboy233, ltyu, m_Rassska, medikko, mics, mrpathfindr, newfork01, nxrblsrpr, oyc_109, pfapostol, rbserver, reassor, ret2basic, robee, sach1r0, saian, simon135, sryysryy, zeesaw

Awards

21.2057 USDC - $21.21

Labels

bug

G (Gas Optimization)

External Links

Link to GitHub issue

-> X = X + Y IS CHEAPER THAN X += Y (same for X = X - Y IS CHEAPER THAN X -= Y)

->STATE VARIABLES ONLY SET IN THE CONSTRUCTOR SHOULD BE DECLARED IMMUTABLE

Avoids a Gsset (20000 gas) in the constructor, and replaces each Gwarmacces (100 gas) with a PUSH32 (3 gas)

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#:~:text=IERC20%20internal%20immutable%20assetContract%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#:~:text=IERC20%20public%20immutable%20collateralContract%3B

-> REQUIRE()/REVERT() STRINGS LONGER THAN 32 BYTES COST EXTRA GAS

USE CUSTOM ERRORS RATHER THAN REVERT()/REQUIRE() STRINGS TO SAVE GAS

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#:~:text=%22FraxlendPairDeployer%3A%20create2%20failed%22)%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#:~:text=%22FraxlendPairDeployer%3A%20Pair%20name%20must%20be%20unique%22)%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#:~:text=%22FraxlendPairDeployer%3A%20_maxLTV%20is%20too%20large%22)%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#:~:text=%22FraxlendPairDeployer%3A%20Only%20whitelisted%20addresses%22 https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/LinearInterestRate.sol#:~:text=%22LinearInterestRate%3A%20_minInterest%20%3C%20MAX_INT%20%26%26%20_minInterest%20%3C%3D%20_vertexInterest%20%26%26%20_minInterest%20%3E%3D%20MIN_INT%22 https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/LinearInterestRate.sol#:~:text=%22LinearInterestRate%3A%20_maxInterest%20%3C%3D%20MAX_INT%20%26%26%20_vertexInterest%20%3C%3D%20_maxInterest%20%26%26%20_maxInterest%20%3E%20MIN_INT%22 https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/LinearInterestRate.sol#:~:text=%22LinearInterestRate%3A%20_vertexUtilization%20%3C%20MAX_VERTEX_UTIL%20%26%26%20_vertexUtilization%20%3E%200%22

->USING > 0 COSTS MORE GAS THAN != 0 WHEN USED ON A UINT IN A REQUIRE() STATEMENT

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/LinearInterestRate.sol#:~:text=_maxInterest%20%26%26%20_maxInterest%20%3E%20MIN_INT%22-,)%3B,)%3B,-%7D

->SPLITTING REQUIRE() STATEMENTS THAT USE && SAVES GAS

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/LinearInterestRate.sol#:~:text=)%3B-,require(,)%3B,-require( https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/LinearInterestRate.sol#:~:text=)%3B-,require(,)%3B,-require( https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/LinearInterestRate.sol#:~:text=_maxInterest%20%26%26%20_maxInterest%20%3E%20MIN_INT%22-,)%3B,)%3B,-%7D

-> ++i costs less gas compared to i++ or i += 1 (Also --i costs less gas compared to i--- or i -= 1)

-> USAGE OF UINTS/INTS SMALLER THAN 32 BYTES (256 BITS) INCURS OVERHEAD When using elements that are smaller than 32 bytes, your contract’s gas usage may be higher. This is because the EVM operates on 32 bytes at a time. Therefore, if the element is smaller than that, the EVM must use more operations in order to reduce the size of the element from 32 bytes to the desired size.

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPair.sol#:~:text=uint16%20_DEFAULT_PROTOCOL_FEE%2C https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairConstants.sol#:~:text=uint16%20internal%20constant%20DEFAULT_PROTOCOL_FEE%20%3D%200%3B

->IT COSTS MORE GAS TO INITIALIZE NON-CONSTANT/NON-IMMUTABLE VARIABLES TO ZERO THAN TO LET THE DEFAULT OF ZERO BE APPLIED

If a variable is not set/initialized, it is assumed to have the default value (0, false, 0x0 etc depending on the data type). Explicitly initializing it with its default value is an anti-pattern and wastes gas.

->USING BOOLS FOR STORAGE INCURS OVERHEAD

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#:~:text=mapping(address%20%3D%3E%20bool)%20public%20approvedBorrowers%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#:~:text=mapping(address%20%3D%3E%20bool)%20public%20approvedLenders%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairDeployer.sol#:~:text=mapping(address%20%3D%3E%20bool)%20public%20deployedPairCustomStatusByAddress%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendWhitelist.sol#:~:text=mapping(address%20%3D%3E%20bool)%20public%20oracleContractWhitelist%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendWhitelist.sol#:~:text=mapping(address%20%3D%3E%20bool)%20public%20rateContractWhitelist%3B https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendWhitelist.sol#:~:text=mapping(address%20%3D%3E%20bool)%20public%20fraxlendDeployerWhitelist%3B

Fraxlend (Frax Finance) contest - Noah3o6's results

Fraxlend: A permissionless lending platform and the final piece of the Frax Finance Defi Trinity.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-60] QA Report - $45.83

Findings Information

Awards

Labels

External Links

[G-68] Gas Report - $21.21

Findings Information

Awards

Labels

External Links