Back to Tomio's contests

VTVL contest - Tomio's results

Building no-code token management tools to empower web3 founders and investors, starting with token vesting.

General Information

Platform: Code4rena

Start Date: 20/09/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 198

Period: 3 days

Judge: 0xean

Total Solo HM: 2

Id: 164

League: ETH

VTVL

Findings Distribution

Researcher Performance

Rank: 187/198

Findings: 1

Award: $9.09

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryVTVL

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xDanielC, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 0xsam, 2997ms, AkshaySrivastav, Amithuddar, Atarpara, Aymen0909, B2, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, Diraco, Funen, JC, JLevick, JohnSmith, Junnon, KIntern_NA, Lambda, MasterCookie, Matin, Noah3o6, Ocean_Sky, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, Saintcode_, Satyam_Sharma, Sm4rty, SnowMan, SooYa, Sta1400, StevenL, Tadashi, Tagir2003, TomJ, Tomio, Tomo, V_B, Waze, WilliamAmbrozic, Yiko, __141345__, a12jmx, adriro, ajtra, ak1, async, aysha, beardofginger, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, caventa, ch0bu, cryptostellar5, cryptphi, csanuragjain, d3e4, delfin454000, dharma09, djxploit, durianSausage, eighty, emrekocak, erictee, exd0tpy, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, got_targ, hxzy, ignacio, ikbkln, imare, indijanc, jag, jpserrat, karanctf, ladboy233, leosathya, lucacez, lukris02, m9800, malinariy, martin, medikko, mics, millersplanet, mrpathfindr, nalus, natzuu, neko_nyaa, oyc_109, pauliax, peanuts, pedroais, peiw, pfapostol, prasantgupta52, rbserver, ret2basic, rokinot, rotcivegaf, rvierdiiev, sach1r0, samruna, seyni, slowmoses, subtle77, supernova, tgolding55, tibthecat, tnevler, w0Lfrum, yaemsobak, zishansami

Awards

9.0861 USDC - $9.09

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Title: Comparison operators

Proof of Concept: VTVLVesting.sol#L160 VTVLVesting.sol#L295 VTVLVesting.sol#L402

Recommended Mitigation Steps: Replace <= with <, and >= with > for gas optimization

Title: Custom errors from Solidity 0.8.4 are cheaper than revert strings

Impact: Custom errors from Solidity 0.8.4 are cheaper than revert strings (cheaper deployment cost and runtime cost when the revert condition is met) while providing the same amount of information

Custom errors are defined using the error statement reference: https://blog.soliditylang.org/2021/04/21/custom-errors/

Proof of Concept: VTVLVesting.sol (various line) VariableSupplyERC20Token.sol#L41

Recommended Mitigation Steps: Replace require statements with custom errors.

Title: Using != in require statement is more gas efficient

Proof of Concept: VTVLVesting.sol#L107 VTVLVesting.sol#L256-L257 VTVLVesting.sol#L263 VTVLVesting.sol#L272-L273 VTVLVesting.sol#L449

Recommended Mitigation Steps: Change > 0 to != 0

Title: Default value initialization

Impact: If a variable is not set/initialized, it is assumed to have the default value (0, false, 0x0 etc depending on the data type). Explicitly initializing it with its default value is an anti-pattern and wastes gas.

Proof of Concept: VTVLVesting.sol#L27 VTVLVesting.sol#L148 VTVLVesting.sol#L353

Recommended Mitigation Steps: Remove explicit initialization for default values.

Title: Using unchecked and prefix increment is more effective for gas saving:

Proof of Concept: VTVLVesting.sol#L353

Recommended Mitigation Steps: Change to:

	for (uint256 i = 0; i < length;) {
    // ...
    unchecked { ++i; }
    }

Title: Using multiple require instead && can save gas

Proof of Concept: VTVLVesting.sol#L270-L278 VTVLVesting.sol#L344-L351

Recommended Mitigation Steps: Change to:

	require(_startTimestamps.length == length, "ARRAY_LENGTH_MISMATCH");
        require(_endTimestamps.length == length, "ARRAY_LENGTH_MISMATCH");
        require(_cliffReleaseTimestamps.length == length, "ARRAY_LENGTH_MISMATCH");
        require(_releaseIntervalsSecs.length == length, "ARRAY_LENGTH_MISMATCH");
        require(_linearVestAmounts.length == length, "ARRAY_LENGTH_MISMATCH");
        require(_cliffAmounts.length == length, "ARRAY_LENGTH_MISMATCH");

Title: Boolean comparison

Proof of Concept: VTVLVesting.sol#L111

Recommended Mitigation Steps: Using == true to validate bool variable is unnecessary: Change to:

        require(_claim.isActive, "NO_ACTIVE_CLAIM");

Title: >= is cheaper than >

Impact: Strict inequalities (>) are more expensive than non-strict ones (>=). This is due to some supplementary checks (ISZERO, 3 gas)

Proof of Concept: VTVLVesting.sol#L187

Recommended Mitigation Steps: Consider using >= instead of > to avoid some opcodes

Title: Unchecking arithmetics operations that can't underflow/overflow

Proof of Concept: VTVLVesting.sol#L167 L#167 should be unchecked due to L#166 VTVLVesting.sol#L377 L#377 should be unchecked due to L#374 VTVLVesting.sol#L429 L#429 should be unchecked due to L#426

Recommended Mitigation Steps: Use unchecked

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter