Back to SAAJ's contests

Wenwin contest - SAAJ's results

The next generation of chance-based gaming.

General Information

Platform: Code4rena

Start Date: 06/03/2023

Pot Size: $36,500 USDC

Total HM: 8

Participants: 93

Period: 3 days

Judge: cccz

Total Solo HM: 3

Id: 218

League: ETH

Wenwin

Findings Distribution

Researcher Performance

Rank: 49/93

Findings: 2

Award: $34.42

QA:
grade-b
Gas:
grade-b

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryWenwin

Findings Information

🌟 Selected for report: adriro

Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xfuje, 0xkazim, 0xnev, Aymen0909, Bason, Cyfrin, DadeKuma, LethL, Madalad, MohammedRizwan, Rolezn, SAAJ, SunSec, Udsen, Yukti_Chinta, ast3ros, bin2chen, brgltd, bshramin, btk, bugradar, catellatech, cryptostellar5, descharre, dontonka, erictee, fatherOfBlocks, georgits, glcanvas, hl_, horsefacts, igingu, juancito, lukris02, martin, nadin, nomoi, peanuts, pipoca, sakshamguruji, seeu, slvDev, tnevler, zaskoh

Awards

21.7018 USDC - $21.70

Labels

bug
grade-b
QA (Quality Assurance)
sponsor confirmed
Q-22

External Links

Link to GitHub issue

Low Risk and Non-Critical Issues

Some of the opportunities identified for improving low severity issues throughout the codebase of Wenwin protocol are categorised into 03 main areas; with further multiple instances in each of the category.

[L-01] Floating of Pragma (03 Instances)

Locking pragma version ensures contracts are not being deployed on an outdated compiler version.

Link to the code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/VRFv2RNSource.sol#L3
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/StakedTokenLock.sol#L3
  3. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/IVRFv2RNSource.sol#L3

[L 02] Avoid using latest version of Solidity due to unknown bugs (21 Instances)

Precaution should be taken in using solidity latest released version that can impact the project based on reason of unknown bugs.

Link to the code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryToken.sol#L3
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L3
  3. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L3
  4. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L3
  5. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Ticket.sol#L3
  6. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/RNSourceBase.sol#L3
  7. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/RNSourceController.sol#L3
  8. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L3
  9. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/PercentageMath.sol#L3
  10. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/TicketUtils.sol#L3
  11. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryMath.sol#L3
  12. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/ILotteryToken.sol#L3
  13. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/ITicket.sol#L3
  14. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/interfaces/IStakedTokenLock.sol#L3
  15. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/IReferralSystemDynamic.sol#L3
  16. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/IRNSource.sol#L3
  17. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/interfaces/IStaking.sol#L3
  18. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/IReferralSystem.sol#L3
  19. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/IRNSourceController.sol#L3
  20. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/ILottery.sol#L3
  21. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/ILotterySetup.sol#L3

[L-03] Minting tokens to the zero address should be avoided (04 Instances)

Address(0) check is missing in function, consider applying check to ensure tokens or tickets aren’t minted to the zero address.

Link to the code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryToken.sol#L22
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L74
  3. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Ticket.sol#L26
  4. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L81

[N-01] Constructor lacks address(0) check (03 Instances)

Zero-address check should be used in the constructors, to avoid the risk of setting a storage variable as address(0) at deploying time.

Link to the code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/VRFv2RNSource.sol#L13
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/StakedTokenLock.sol#L16
  3. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/RNSourceBase.sol#L11

#0 - thereksfour

2023-03-12T09:54:36Z

1 L 3 INFO

#1 - c4-judge

2023-03-12T09:54:40Z

thereksfour marked the issue as grade-b

#2 - c4-sponsor

2023-03-14T10:53:21Z

0xluckydev marked the issue as sponsor confirmed

Findings Information

🌟 Selected for report: Rolezn

Also found by: 0x1f8b, 0x6980, 0xSmartContract, 0xhacksmithh, 0xnev, Haipls, Inspectah, JCN, LethL, Madalad, MiniGlome, Pheonix, Rageur, RaymondFam, ReyAdmirado, SAAJ, Sathish9098, adriro, air, arialblack14, atharvasama, c3phas, ch0bu, ddimitrov22, descharre, hunter_w3b, igingu, matrix_0wl, rokso, saneryee, schrodinger, slvDev, volodya, yongskiws

Awards

12.7206 USDC - $12.72

Labels

bug
G (Gas Optimization)
grade-b
sponsor acknowledged
G-15

External Links

Link to GitHub issue

Gas Optimization Report

This report focuses on Wenwin contest, in context of various improvements that can be made in terms of gas cost.

Some of the opportunities identified for improving gas efficiency throughout the codebase of Wenwin Protocol are categorised into 07 main areas; with further multiple instances in each of the category.

Summary

[G-01] 0perator assignment is more gas efficient than compound assignment (16 Instances) [G-02] Require is more gas efficient than assert (02 Instances) [G-03] Immutable has more gas efficiency than constant (04 Instances) [G-04] Multiple mappings can be combined into a single one (12 Instances) [G-05] Wastage of deployed gas when return is not present for returns function (11 Instances) [G 06] Declare Public library as internal library (05 Instances) [G-07] Public visibility consumes more gas as compared to external in functions (02 Instances)  

[G-01] 0perator assignment is more gas efficient than compound assignment (16 Instances)

Compound assignment operators (+= / -=) are more expensive in terms of gas consumption and needs to be avoided.

Operator assignments (a = a + b / a - b) are preferable in terms of gas optimization.

Link to the Code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/StakedTokenLock.sol#L30
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/StakedTokenLock.sol#L43
  3. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L129
  4. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L173
  5. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L275
  6. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L64
  7. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L67
  8. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L69
  9. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L71
  10. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L78
  11. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L147
  12. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/TicketUtils.sol#L29
  13. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/TicketUtils.sol#L96
  14. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryMath.sol#L55
  15. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryMath.sol#L64
  16. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryMath.sol#L84

[G-02] Require is more gas efficient than assert (02 Instances)

Assert() and require() functions are similar in nature, regarding context of handling error and undone any changes made.

However, assert() consumes all the gas during the process of reverting change while require()refunds any gas remaining that was paid.

Link to the Code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L147
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/TicketUtils.sol#L99

[G-03] Immutable has more gas efficiency than constant (04 Instances)

Using immutable instead of constant, save more gas due to avoiding storage access for state variables.

Variable values are set through constructor when using immutable, which also eliminates the need of assigning initial values to state variable making them more efficient in terms of gas cost

Link to the Code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryToken.sol#L12
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L36
  3. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/RNSourceController.sol#L19
  4. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/RNSourceController.sol#L20

[G-04] Multiple mappings can be combine into a single one (12 Instances)

When multiple mappings are used in same function, it’s better to combined them into a single mapping using a struct.

Combined mapping reduces storage slot per mapping and also are cheaper in terms of associated stack operations calculation carried out.

Link to the Code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L19
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L20
  3. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L26
  4. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L27
  5. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L36
  6. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L37
  7. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L39
  8. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L17
  9. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L19
  10. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L21
  11. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L23
  12. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L25

[G-05] Wastage of deployed gas when return is not present for returns function (11 Instances)

Wastage of gas during deployment; when return is absent for named variable when function returns.

Link to the Code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/VRFv2RNSource.sol#L28
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L152
  3. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L156
  4. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L164
  5. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L144
  6. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/TicketUtils.sol#L74
  7. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryMath.sol#L35
  8. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryMath.sol#L62
  9. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryMath.sol#L73
  10. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryMath.sol#L96
  11. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryMath.sol#L119

[G 06] Declare Public library as internal library (05 Instances)

External call to a public library function is very expensive for reference checks this article. When library has only internal functions it can be used as internal library.

Link to the code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotteryToken.sol#L7
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L8
  3. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L7
  4. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L11
  5. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/ReferralSystem.sol#L7

[G-07] Public visibility consumes more gas as compared to external in functions (02 Instances)

Functions with public visibility, if not called within the contract needed to be changed external.

Link to the Code:

  1. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L120
  2. https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L234

#0 - c4-judge

2023-03-12T14:20:03Z

thereksfour marked the issue as grade-b

#1 - c4-sponsor

2023-03-14T13:10:53Z

TutaRicky marked the issue as sponsor acknowledged

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter