Platform: Code4rena
Start Date: 26/05/2022
Pot Size: $75,000 USDT
Total HM: 31
Participants: 71
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 18
Id: 126
League: ETH
Rank: 59/71
Findings: 1
Award: $96.04
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, Cityscape, Dravee, ElKu, FSchmoede, Funen, GalloDaSballo, Hawkeye, Kaiziron, MiloTruck, Randyyy, RoiEvenHaim, Ruhum, SecureZeroX, SmartSek, TerrierLover, TomJ, Tomio, WatchPug, Waze, _Adam, asutorufos, c3phas, catchup, cogitoergosumsw, delfin454000, ellahi, fatherOfBlocks, gzeon, hansfriese, horsefacts, jonatascm, minhquanym, oyc_109, pauliax, reassor, robee, sach1r0, saian, sashik_eth, simon135, z3s
96.0363 USDT - $96.04
Title: Using calldata on struct parameter
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/helper/FixedPoint.sol#L38 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/helper/FixedPoint.sol#L43 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/helper/FixedPoint.sol#L57
Recommended Mitigation Steps:
Using calldata to store struct data type can save gas
function decode(uq112x112 calldata self) internal pure returns (uint112) {
========================================================================
Title: Using SafeMath for solidity >0.8
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/token/VE3Token.sol#L13 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/token/VeToken.sol#L8
Recommended Mitigation Steps:
it's better to remove using SafeMath for uint256 for solidity >0.8
reference: https://github.com/OpenZeppelin/openzeppelin-contracts/issues/2465
========================================================================
Title: Unused lib
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/token/VE3Token.sol#L11
Recommended Mitigation Steps: remove unused can save gas
========================================================================
Title: Set as immutable can save gas
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L55-L56 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L62-L65 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/ExtraRewardStashV1.sol#L23-L27 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VoterProxy.sol#L27
Recommended Mitigation Steps: can be set as immutable, which already set once in the constructor
========================================================================
Title: unnecessary variable set. the default value of uint is 0
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L66-L67 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L70-L72
Recommended Mitigation Steps: remove 0 value
========================================================================
Title: Using != is more gas efficient
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L173 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L196
Recommended Mitigation Steps:
Change to !=
require(_amount != 0, "RewardPool : Cannot stake 0");
========================================================================
Title: Using unchecked and prefix increment
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L176-L178 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L199-L201
Recommended Mitigation Steps: Change to:
for (uint256 i = 0; i < extraRewards.length;) { IRewards(extraRewards[i]).stake(msg.sender, _amount); } unchecked{ ++i; //@audit-info: Place here with unchecked }
========================================================================
Title: Using delete statement can save gas
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L274 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VirtualBalanceRewardPool.sol#L151
Recommended Mitigation Steps:
delete rewards[_account];
========================================================================
Title: Using multiple require instead && can save gas
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/Booster.sol#L261-L262
Recommended Mitigation Steps:
require(_gauge != address(0), "!param"); require(_lptoken != address(0), "!param");
========================================================================
Title: Using == true cost more gas
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/RewardFactory.sol#L40 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/RewardFactory.sol#L57 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/RewardFactory.sol#L103 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VoterProxy.sol#L69-L72
Recommended Mitigation Steps:
Using == true to validate bool variable is unnecessary:
require(rewardAccess[msg.sender], "!auth");
========================================================================
Title: Cheaper to use ++ instead + 1
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/RewardFactory.sol#L46 https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/RewardFactory.sol#L63
Recommended Mitigation Steps:
uint256 pid = ++_pid;
========================================================================
Title: unnecessary variable set. the default value of bool is false
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DLocker.sol#L106
Recommended Mitigation Steps:
remove false set for gas saving
========================================================================
Title: Using > instead >= can save gas
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DLocker.sol#L187
Recommended Mitigation Steps:
using only > operator can save gas
require(_delay > 1, "min delay"); //minimum 2 epochs of grace //@audit-info: Change from 2 to 1
========================================================================
Title: Using unchecked to calculate can save gas
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DLocker.sol#L428
Recommended Mitigation Steps:
unchecked{ uint256 mid = (min + max + 1) / 2; }
========================================================================
Title: Use supply that already been cache
Proof of Concept: https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VeTokenMinter.sol#L73
Recommended Mitigation Steps:
supply += _amount;
========================================================================
Title: Caching .length for loop can save gas
Proof of Concept: https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/VotingEscrow.sol#L1146
Recommended Mitigation Steps: Change to:
uint256 Length = _tokenVote.length; for (uint256 i = 0; i < Length; i++) {
========================================================================
#0 - GalloDaSballo
2022-07-18T23:34:09Z
11 * 2100 Rest will save less than 1k gas
24100
#1 - GalloDaSballo
2022-07-28T20:30:25Z
TODO: Remove Stash points as out of scope
#2 - GalloDaSballo
2022-07-28T22:30:09Z
Updated, removing ExtraStash contract points: 5 * 2100
Total Gas Saved in scope: 13600