Platform: Code4rena
Start Date: 27/04/2022
Pot Size: $50,000 MIM
Total HM: 6
Participants: 59
Period: 5 days
Judge: 0xean
Id: 113
League: ETH
Rank: 50/59
Findings: 1
Award: $57.52
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: BowTiedWardens
Also found by: 0x1f8b, 0xNazgul, 0xf15ers, 0xkatana, CertoraInc, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, NoamYakov, Tadashi, Tomio, TrungOre, antonttc, catchup, defsec, delfin454000, fatherOfBlocks, gzeon, horsefacts, joestakey, kenta, oyc_109, pauliax, reassor, robee, samruna, simon135, slywaters, sorrynotsorry, z3s
57.5177 MIM - $57.52
Title: Using storage to declare struct variable inside function
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L182 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L187 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L220
Recommended Mitigation Steps:
instead of caching TokenLoan to memory. read it directly from storage.
TokenLoan storage loan = tokenLoan[tokenId];
========================================================================
Title: Using calldata on struct parameter
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L181 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L208 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L274 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L323
Recommended Mitigation Steps:
Using calldata to store struct data type can save gas
function updateLoanParams(uint256 tokenId, TokenLoanParams calldata params) public {
========================================================================
Title: Using multiple require instead && can save gas
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L188-L191 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L283-L288 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L622
Recommended Mitigation Steps: Change to:
require(params.duration >= cur.duration,"NFTPair: worse params"); require(params.valuation <= cur.valuation,"NFTPair: worse params"); require(params.annualInterestBPS <= cur.annualInterestBPS,"NFTPair: worse params");
========================================================================
Title: Using > is cheaper than >=
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L189 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L285-L286 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L297 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L405
Recommended Mitigation Steps:
Change >= to >
========================================================================
Title: use unchecked for calculation can save gas
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L536
Recommended Mitigation Steps: no underflow comment in L#535
unchecked{ feesEarnedShare += feeShare; }
========================================================================
Title: unnecessary value set. the default value of uint is 0.
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L96 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L641 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/BentoBoxFlat.sol#L1009 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/BentoBoxFlat.sol#L1018
Recommended Mitigation Steps: remove 0 value can save gas
========================================================================
Title: Using delete statement to empty feesEarnedShare can save gas
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L719 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/BentoBoxFlat.sol#L1075-L1076
Recommended Mitigation Steps:
delete feesEarnedShare;
========================================================================
Title: Caching .length for loop can save gas
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L641
Recommended Mitigation Steps: Change to:
uint256 Length = actions.length; for (uint256 i = 0; i < Length; i++) {
========================================================================
Title: Using unchecked and prefix increment
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/BentoBoxFlat.sol#L627
Recommended Mitigation Steps:
for (uint256 i = 0; i < calls.length;) { (bool success, bytes memory result) = address(this).delegatecall(calls[i]); require(success || !revertOnFail, _getRevertMsg(result)); successes[i] = success; results[i] = result; unchecked{ ++i; //@audit-info: Place here with unchecked } }
========================================================================
Title: Using != is more gas efficient
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L717 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/BentoBoxFlat.sol#L1062 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/BentoBoxFlat.sol#L1106
Recommended Mitigation Steps:
if (_share != 0) {
========================================================================
Title: Prefix increments are cheaper than postfix increments
Proof of Concept: https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/BentoBoxFlat.sol#L954
Recommended Mitigation Steps:
Change to ++i
========================================================================
#0 - cryptolyndon
2022-05-13T23:22:00Z
Fair call on number 2