Platform: Code4rena
Start Date: 28/06/2022
Pot Size: $25,000 USDC
Total HM: 14
Participants: 50
Period: 4 days
Judge: GalloDaSballo
Total Solo HM: 7
Id: 141
League: ETH
Rank: 40/50
Findings: 1
Award: $35.71
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0x1f8b
Also found by: 0x29A, 0xArshia, 0xKitsune, Bnke0x0, Chom, Fitraldys, Funen, JC, Lambda, Meera, Noah3o6, Picodes, RedOneN, Rohan16, Sm4rty, TerrierLover, TomJ, Tomio, Waze, ajtra, c3phas, cRat1st0s, defsec, durianSausage, fatherOfBlocks, grGred, hake, ladboy233, m_Rassska, mrpathfindr, oyc_109, rfa, ynnad
35.707 USDC - $35.71
Title: Reduce the size of error messages (Long revert Strings)
Impact: Shortening revert strings to fit in 32 bytes will decrease deployment time gas and will decrease runtime gas when the revert condition is met. Revert strings that are longer than 32 bytes require at least one additional mstore, along with additional overhead for computing memory offset, etc.
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegate.sol#L87 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegator.sol#L42-L43 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Treasury/TreasuryDelegator.sol#L31-L32
Recommended Mitigation Steps: Consider shortening the revert strings to fit in 32 bytes
Title: Custom errors from Solidity 0.8.4 are cheaper than revert strings
Impact: Custom errors from Solidity 0.8.4 are cheaper than revert strings (cheaper deployment cost and runtime cost when the revert condition is met) while providing the same amount of information
Custom errors are defined using the error statement reference: https://blog.soliditylang.org/2021/04/21/custom-errors/
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegate.sol https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegator.sol https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Treasury/TreasuryDelegator.sol https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol
Recommended Mitigation Steps: Replace require statements with custom errors.
Title: Expression for constant values such as a call to keccak256(), should use immutable rather than constant
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Treasury/TreasuryDelegate.sol#L12-L13 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L39-L42 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol#L110-L113
Recommended Mitigation Steps:
Change from constant to immutable
reference: https://github.com/ethereum/solidity/issues/9232
Title: >= is cheaper than >
Impact:
Strict inequalities (>) are more expensive than non-strict ones (>=). This is due to some supplementary checks (ISZERO, 3 gas)
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L179 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L248 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L255
Recommended Mitigation Steps:
Consider using >= instead of > to avoid some opcodes
Title: Consider make constant as private to save gas
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L6-L15
Recommended Mitigation Steps:
I suggest changing the visibility from public to internal or private
Title: Gas optimization to dividing by 2
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L210
Recommended Mitigation Steps:
Replace / 2 with >> 1
Title: Gas optimization for increment or decrement
Proof of Concept:
Title: Cheaper to use ++ instead + 1
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L208 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L217 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L269
Recommended Mitigation Steps:
instead of using +1 / -1 replace it with ++ / --
uint32 upper = --nCheckpoints; numCheckpoints[delegatee] = ++nCheckpoints;
Title: Default value initialization
Impact: If a variable is not set/initialized, it is assumed to have the default value (0, false, 0x0 etc depending on the data type). Explicitly initializing it with its default value is an anti-pattern and wastes gas.
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L207 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol#L181 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol#L197 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol#L211
Recommended Mitigation Steps: Remove explicit initialization for default values.
Title: Using multiple require instead of && can save gas
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol#L228
Recommended Mitigation Steps: Change to:
require(targets.length == values.length, "GovernorAlpha::propose: proposal function information arity mismatch"); require(targets.length == signatures.length, "GovernorAlpha::propose: proposal function information arity mismatch"); require(targets.length == calldatas.length, "GovernorAlpha::propose: proposal function information arity mismatch");
Title: Using unchecked and prefix increment is more effective for gas saving:
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol#L181 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol#L197
Recommended Mitigation Steps: Change to:
for (uint i = 0; i < proposal.targets.length;) { // ... unchecked { ++i; } }
Title: Using != is more gas efficient
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol#L228
Recommended Mitigation Steps:
Change > 0 to != 0
require(proposalCount >= proposalId && proposalId != 0, "GovernorAlpha::state: invalid proposal id");
Title: Comparison operators
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/GovernorAlpha.sol#L228-L242
Recommended Mitigation Steps:
Replace <= with <, and >= with > for gas optimization
Title: Using == false cost more gas
Proof of Concept: https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/Governance/GovernorAlpha.sol#L266
Recommended Mitigation Steps: Change to:
require(!receipt.hasVoted, "GovernorAlpha::_castVote: voter already voted");
Title: Set as immutable can save gas
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Note.sol#L7
Recommended Mitigation Steps:
can be set as immutable, which already set once in the constructor
Title: Using msg.sender directly is more effective
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Governance/Comp.sol#L129-L137
Recommended Mitigation Steps:
In function transferFrom() using msg.sender directly instead of caching it to spender. delete L#129 and replace all spender with msg.sender
Title: Using SafeMath for solidity >0.8
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/NoteInterest.sol#L15
Recommended Mitigation Steps:
it's better to remove using SafeMath for uint256 for solidity >0.8
reference: https://github.com/OpenZeppelin/openzeppelin-contracts/issues/2465
Title: Gas improvement on returning c value
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Reservoir.sol#L72
Recommended Mitigation Steps:
by set c in returns L#71 and delete L#72 can save gas
function add(uint a, uint b, string memory errorMessage) internal pure returns (uint c) { //@audit-info: set here
Title: Using += or -= can save gas
Proof of Concept: https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/CToken.sol#L443-L444 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/CToken.sol#L534-L535 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/CToken.sol#L835-L837
Recommended Mitigation Steps: Change to:
totalSupply += mintTokens; accountTokens[minter] += mintTokens;
#0 - GalloDaSballo
2022-08-14T22:33:55Z
Not true -> https://twitter.com/GalloDaSballo/status/1543729080926871557
Will save 2.1k
Rest will save less than 300 gas