Platform: Code4rena
Start Date: 24/03/2022
Pot Size: $75,000 USDC
Total HM: 15
Participants: 59
Period: 7 days
Judge: gzeon
Id: 103
League: ETH
Rank: 40/59
Findings: 2
Award: $196.49
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hake
Also found by: 0v3rf10w, 0xDjango, 0xkatana, BouSalman, CertoraInc, Dravee, Hawkeye, IllIllI, JMukesh, Jujic, Kenshin, PPrieditis, Picodes, PranavG, Ruhum, SolidityScan, VAD37, WatchPug, aga7hokakological, catchup, csanuragjain, cthulhu_cult, defsec, dimitri, hickuphh3, hubble, hyh, kenta, kirk-baird, obront, peritoflores, rayn, robee, saian, samruna, shenwilly, shw, sorrynotsorry, tchkvsky, teryanarmen, ych18
132.5612 USDC - $132.56
Contracts should be deployed using the same compiler version/flags with which they have been tested. Locking the pragma (for e.g. by not using ^ in pragma solidity 0.5.10) ensures that contracts do not accidentally get deployed using an older compiler version with unfixed bugs. More information can be seen in SWC Registry: https://swcregistry.io/docs/SWC-103
Use locked pragma for contracts.
It should be clearly visible in code which part is customization and which part comes from public standard. Documentation states that LI.FI Contract is built using the EIP-2535 (Multi-facet Proxy) standard however in code that is not clearly visible. LiFiDiamond.sol logic is a copy from Diamond.sol. It would be better to use import and inheritance because if there is discovered a bug in EIP-2535 Diamond.sol then it is harder to detect the same bug in LiFiDiamond.sol.
Use import and inheritance from Diamond.sol https://github.com/mudgen/diamond-3-hardhat/blob/main/contracts/Diamond.sol https://github.com/code-423n4/2022-03-lifinance/blob/main/src/LiFiDiamond.sol#L7
Contracts inheriting from multiple contracts with identical functions should specify the correct inheritance order i.e. more general to more specific to avoid inheriting the incorrect function implementation. https://swcregistry.io/docs/SWC-125
Remove unnecessary imports. In the following files there are contract imports that aren't used: https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/AnyswapFacet.sol#L6 https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/AnyswapFacet.sol#L9
type(T).max should be used for max value and not a number.
Change: https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Libraries/LibSwap.sol#L8
From: uint256 private constant MAX_INT = 2**256 - 1; To: uint256 private constant MAX_INT = type(uint256).max;
Contract should not inherit if functionality of inheritance is not used. Swapper.sol inherits ILiFi however nothing is used from ILiFi.
Remove: https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/Swapper.sol#L4 and ILiFi inheritance at https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/Swapper.sol#L8
Parameters of certain events are expected to be indexed (e.g. ERC20 Transfer/Approval events) so that they’re included in the block’s bloom filter for faster access. Failure to do so might confuse off-chain tooling looking for such indexed events.
Event AssetSwapped does not use any index: https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Libraries/LibSwap.sol#L19-L27
Index transactionId for event AssetSwapped because transactionId is indexed also in ILiFi.sol https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Interfaces/ILiFi.sol
#0 - H3xept
2022-04-08T14:31:36Z
Duplicate of #197
#1 - H3xept
2022-04-11T10:37:04Z
Duplicate of #197
#2 - H3xept
2022-04-11T12:10:52Z
Swapper.sol uses ILifi to have access to the function argument types, namely LifiData.
🌟 Selected for report: Dravee
Also found by: 0v3rf10w, 0xDjango, 0xNazgul, 0xkatana, ACai, CertoraInc, FSchmoede, Funen, Hawkeye, IllIllI, Jujic, Kenshin, PPrieditis, Picodes, SolidityScan, TerrierLover, Tomio, WatchPug, catchup, csanuragjain, defsec, dimitri, hake, hickuphh3, kenta, minhquanym, obront, peritoflores, rayn, rfa, robee, saian, samruna, tchkvsky, teryanarmen, ych18
63.9343 USDC - $63.93
Reading array length at each iteration of the loop takes 6 gas (3 for mload and 3 to place memory_offset) in the stack. Caching the array length in the stack saves around 3 gas per iteration.
Cache array length: https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/Swapper.sol#L14
Prefix increaments are cheaper than postfix increaments
Use ++i in place of i++: https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/Swapper.sol#L14
Redundant code and comments can be confusing and should be removed (or changed appropriately) after careful evaluation. This will not only reduce gas costs but improve readability and maintainability of the code.
Change: https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/Swapper.sol#L16
From: ls.dexWhitelist[_swapData[i].approveTo] == true && ls.dexWhitelist[_swapData[i].callTo] == true To: ls.dexWhitelist[_swapData[i].approveTo] && ls.dexWhitelist[_swapData[i].callTo]
Public functions that are never called by the contract should be declared external to save gas.
Change below functions to external: AnyswapFacet.startBridgeTokensViaAnyswap() https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/AnyswapFacet.sol#L35
AnyswapFacet.swapAndStartBridgeTokensViaAnyswap() https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/AnyswapFacet.sol#L74
#0 - H3xept
2022-04-08T14:40:16Z
Duplicate of #44
#1 - H3xept
2022-04-08T15:08:11Z
Duplicate of #197
#2 - H3xept
2022-04-11T12:04:44Z
We internally decided to avoid previx increments for now.