Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $50,000 USDC
Total HM: 31
Participants: 99
Period: 5 days
Judges: moose-code, JasoonS, denhampreen
Total Solo HM: 17
Id: 139
League: ETH
Rank: 85/99
Findings: 1
Award: $28.15
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: BowTiedWardens
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xmint, 8olidity, ACai, Bnke0x0, Chom, ElKu, Fabble, Fitraldys, FudgyDRS, Funen, GalloDaSballo, GimelSec, IllIllI, JC, Kaiziron, Lambda, Limbooo, MiloTruck, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RedOneN, Sm4rty, StErMi, TomJ, Tomio, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ajtra, antonttc, asutorufos, bardamu, c3phas, defsec, delfin454000, exd0tpy, fatherOfBlocks, hansfriese, ignacio, joestakey, kenta, ladboy233, m_Rassska, mics, minhquanym, oyc_109, pashov, reassor, robee, s3cunda, sach1r0, saian, sashik_eth, scaraven, sikorico, simon135, slywaters
28.1525 USDC - $28.15
Title: Using multiple require instead && can save gas
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/LiquidityReserve.sol#L44-L47 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Migration.sol#L20-L23 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L54-L63 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L574-L577
Recommended Mitigation Steps:
require(_stakingToken != address(0), "Invalid address"); require(_rewardToken != address(0), "Invalid address");
Title: Custom errors from Solidity 0.8.4 are cheaper than revert strings
Impact: Custom errors from Solidity 0.8.4 are cheaper than revert strings (cheaper deployment cost and runtime cost when the revert condition is met) while providing the same amount of information
Custom errors are defined using the error statement reference: https://blog.soliditylang.org/2021/04/21/custom-errors/
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/LiquidityReserve.sol https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol
Recommended Mitigation Steps: Replace require statements with custom errors.
Title: Using != is more gas efficient
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L118 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L410 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L572
Recommended Mitigation Steps:
Change from > to !=
require(_recipient.amount != 0, "Must enter valid amount");
Title: Comparison operators
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L586 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L190 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L210
Recommended Mitigation Steps:
Replace <= with <, and >= with > for gas optimization
Title: Default value initialization
Impact: If a variable is not set/initialized, it is assumed to have the default value (0, false, 0x0 etc depending on the data type). Explicitly initializing it with its default value is an anti-pattern and wastes gas.
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L636-L637
Recommended Mitigation Steps: Remove explicit initialization for default values.
Title: Function rebase(): L#716 should be unchecked due to L#713
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L716
Recommended Mitigation Steps:
Use unchecked
Title: Function transfer(): L#192 should be unchecked due to L#190
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L192
Recommended Mitigation Steps:
Use unchecked
Title: Function transferFrom(): L#212 should be unchecked due to L#210
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L212
Recommended Mitigation Steps:
Use unchecked
Title: currentCredits only used once
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L286
Recommended Mitigation Steps:
instead of caching it to currentCredits, delete L#285 and use creditBalances[_address] directly
require(creditBalances[_address] >= creditAmount, "Not enough balance"); //@audit gas: save about 5 gas
Or
Title: Use currentCredits that already been cache instead
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L288
Recommended Mitigation Steps: Change to:
currentCredits = currentCredits - creditAmount;
Title: Expression for constant values such as a call to keccak256(), should use immutable rather than constant
Proof of Concept: https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/YieldyStorage.sol#L10-L13
Recommended Mitigation Steps:
Change from constant to immutable
reference: https://github.com/ethereum/solidity/issues/9232