Platform: Code4rena
Start Date: 29/06/2022
Pot Size: $50,000 USDC
Total HM: 20
Participants: 133
Period: 5 days
Judge: hickuphh3
Total Solo HM: 1
Id: 142
League: ETH
Rank: 107/133
Findings: 1
Award: $21.24
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GalloDaSballo
Also found by: 0v3rf10w, 0x1f8b, 0xA5DF, 0xDjango, 0xHarry, 0xKitsune, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xkatana, 0xsanson, ACai, Aymen0909, Bnke0x0, BowTiedWardens, Chom, ElKu, Fitraldys, Funen, Haruxe, Hawkeye, IllIllI, JC, JohnSmith, Kaiziron, Kenshin, Lambda, Limbooo, MadWookie, Metatron, MiloTruck, Picodes, PwnedNoMore, Randyyy, RedOneN, ReyAdmirado, Ruhum, Sm4rty, StErMi, StyxRave, TerrierLover, TomJ, Tomio, UnusualTurtle, Waze, Yiko, _Adam, __141345__, ajtra, ak1, apostle0x01, asutorufos, c3phas, cRat1st0s, catchup, codetilda, cryptphi, datapunk, defsec, delfin454000, durianSausage, exd0tpy, fatherOfBlocks, gogo, grrwahrr, hake, hansfriese, horsefacts, ignacio, jayfromthe13th, joestakey, ladboy233, m_Rassska, mektigboy, minhquanym, mrpathfindr, natzuu, oyc_109, rajatbeladiya, reassor, rfa, robee, rokinot, sach1r0, saian, sashik_eth, simon135, slywaters, swit, z3s, zeesaw, zer0dot
21.2394 USDC - $21.24
Title: Expression for constant values such as a call to keccak256(), should use immutable rather than constant
Proof of Concept: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L89-L101
Recommended Mitigation Steps:
Change from constant to immutable
reference: here
Title: abi.encode() is less efficient than abi.encodePacked()
Proof of Concept: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L685 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L701 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L731 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L745
Title: Custom errors from Solidity 0.8.4 are cheaper than revert strings
Impact: Custom errors from Solidity 0.8.4 are cheaper than revert strings (cheaper deployment cost and runtime cost when the revert condition is met) while providing the same amount of information
Custom errors are defined using the error statement reference: here
Proof of Concept:
(various lines)
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2Nft.sol
Recommended Mitigation Steps:
Replace require statements with custom errors.
Title: calldata instead of memory for RO function parameters
Impact: If a reference type function parameter is read-only, it is cheaper in gas to use calldata instead of memory. Calldata is a non-modifiable, non-persistent area where function arguments are stored, and behaves mostly like memory.
Try to use calldata as a data location because it will avoid copies and also makes sure that the data cannot be modified.
Proof of Concept: (various lines) https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L269 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L389 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L526 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L547 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L593
Recommended Mitigation Steps:
Replace memory with calldata
Title: Using != in require statement is more gas efficient
Proof of Concept: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L293 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L598-L599
Recommended Mitigation Steps:
Change > 0 to != 0
Title: Default value initialization
Impact: If a variable is not set/initialized, it is assumed to have the default value (0, false, 0x0 etc depending on the data type). Explicitly initializing it with its default value is an anti-pattern and wastes gas.
Proof of Concept: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L556 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L594 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L611 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L627 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L742
Recommended Mitigation Steps: Remove explicit initialization for default values.
Title: Caching length for loop can save gas
Proof of Concept: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L556 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L594 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L611 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L627 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L742
Recommended Mitigation Steps: Change to:
uint256 Length = orders.length; for (uint256 i = 0; i < Length; i++) {
Title: Using unchecked and prefix increment is more effective for gas saving:
Proof of Concept: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L556 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L594 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L611 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L627 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L742
Recommended Mitigation Steps: Change to:
for (uint256 i = 0; i < orders.length;) { // ... unchecked { ++i; } }