Platform: Code4rena
Start Date: 11/05/2022
Pot Size: $150,000 USDC
Total HM: 23
Participants: 93
Period: 14 days
Judge: LSDan
Total Solo HM: 18
Id: 123
League: ETH
Rank: 30/93
Findings: 1
Award: $247.36
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, BowTiedWardens, CertoraInc, DavidGialdi, FSchmoede, Fitraldys, Funen, GimelSec, Hawkeye, JC, Kaiziron, Kthere, MaratCerby, MiloTruck, NoamYakov, QuantumBrief, Randyyy, Ruhum, SmartSek, SooYa, Tadashi, TerrierLover, Tomio, UnusualTurtle, WatchPug, Waze, _Adam, antonttc, asutorufos, bobirichman, c3phas, catchup, csanuragjain, cthulhu_cult, defsec, delfin454000, ellahi, fatherOfBlocks, hansfriese, hyh, jayjonah8, joestakey, kenta, marcopaladin, mics, minhquanym, orion, oyc_109, reassor, rfa, robee, sach1r0, samruna, sashik_eth, sikorico, simon135, unforgiven, z3s, zmj
247.3621 USDC - $247.36
Title: Using != is more gas efficient
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L68 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L139 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L210
Recommended Mitigation Steps:
require(_amount != 0, "Must mint something");
========================================================================
Title: unnecessary variable set. the default value of uint is 0
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L35 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L38-L39
Recommended Mitigation Steps: remove 0 value
========================================================================
Title: Using delete statement to empty rewards[msg.sender] can save gas
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L179 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraClaimZap.sol#L191-L192
Recommended Mitigation Steps:
delete rewards[msg.sender];
========================================================================
Title: Using unchecked and prefix increment
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraClaimZap.sol#L143-L153 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L773
Recommended Mitigation Steps:
for (uint256 i = 0; i < rewardContracts.length;) { IBasicRewards(rewardContracts[i]).getReward(msg.sender, true); } unchecked{ ++i; //@audit-info: Place here with unchecked }
========================================================================
Title: Unnecessary variable set of bool
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L114 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraVestedEscrow.sol#L33
Recommended Mitigation Steps:
the default value of bool is false. remove it for gas opt
========================================================================
Title: Use reward that already been cache
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L177-L179
Recommended Mitigation Steps:
if (reward > 0) { reward = 0;
========================================================================
Title: Using > is cheaper than >=
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L216-L217 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L829
Recommended Mitigation Steps:
just use > can save gas
require(_delay > 1, "min delay"); //minimum 2 epochs of grace
========================================================================
Title: Gas opt to substract
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L484
Recommended Mitigation Steps:
uint256 i = --len;
========================================================================
Title: Using calldata to store struct data type can save gas
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L583 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L627 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L769
Recommended Mitigation Steps:
function checkpoints(address account, uint32 pos) external view virtual returns (DelegateeCheckpoint calldata) {
========================================================================
Title: Using storage to declare Struct variable inside function
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L521 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L600 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L794
Recommended Mitigation Steps:
DelegateeCheckpoint storage ckpt = _checkpointsLookup(_checkpointedVotes[account], epoch);
========================================================================
Title: Using SafeMath for solidity >0.8
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L24 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraStakingProxy.sol#L35
Recommended Mitigation Steps:
it's better to remove using SafeMath for uint256 for solidity >0.8
reference: https://github.com/OpenZeppelin/openzeppelin-contracts/issues/2465
========================================================================
Title: Cheaper to use ++ instead + 1
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L636
Recommended Mitigation Steps:
low = ++mid;
========================================================================
Title: set as immutable
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraMerkleDrop.sol#L26
Recommended Mitigation Steps: add immutable
========================================================================
Title: Using multiple require instead && can save gas
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraStakingProxy.sol#L159 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraStakingProxy.sol#L203 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/BalLiquidityProvider.sol#L48 https://github.com/code-423n4/2022-05-aura/blob/main/contracts/BalLiquidityProvider.sol#L57
Recommended Mitigation Steps:
require(_token != crv, "not allowed"); require(_token != cvx, "not allowed"); require(_token != cvxCrv, "not allowed");
========================================================================
Title: Using unchecked can save gas
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraVestedEscrow.sol#L162
Recommended Mitigation Steps:
unchecked{ uint256 elapsed = _time - startTime; }
========================================================================
Title: better increment
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraVestedEscrow.sol#L100
Recommended Mitigation Steps:
Change i++ to ++i
========================================================================
Title: Gas improvement on calling SafeERC20.function
Proof of Concept: https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L15
Recommended Mitigation Steps:
by removing L#15 and directly call SafeERC20
Example L#93:
SafeERC20.safeTransferFrom(_token, msg.sender, address(this), _amount);
========================================================================