Back to Tomio's contests

The Graph L2 bridge contest - Tomio's results

A protocol for indexing and querying blockchain data.

General Information

Platform: Code4rena

Start Date: 07/10/2022

Pot Size: $50,000 USDC

Total HM: 4

Participants: 62

Period: 5 days

Judge: 0xean

Total Solo HM: 2

Id: 169

League: ETH

The Graph

Findings Distribution

Researcher Performance

Rank: 39/62

Findings: 1

Award: $20.79

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryThe Graph

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0xNazgul, 0xSmartContract, 0xdeadbeef, B2, Bnke0x0, Deivitto, ElKu, Jujic, KoKo, Pheonix, RaymondFam, RedOneN, RockingMiles, Rolezn, Saintcode_, Shinchan, TomJ, Tomio, __141345__, ajtra, aysha, c3phas, carlitox477, catchup, delfin454000, emrekocak, erictee, fatherOfBlocks, gerdusx, gianganhnguyen, gogo, martin, mcwildy, medikko, oyc_109, pedr02b2, rbserver, ret2basic, rotcivegaf, saian, sakman, zishansami

Awards

20.7905 USDC - $20.79

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Title: Using != in require statement is more gas efficient

Proof of Concept: L1GraphTokenGateway.sol#L201 L1GraphTokenGateway.sol#L217

Recommended Mitigation Steps: Change > 0 to != 0

Title: Using multiple require instead && can save gas

Proof of Concept: L1GraphTokenGateway.sol#L142 Governed.sol#L54-L56

Recommended Mitigation Steps: Change to:

	require(_escrow != address(0), "INVALID_ESCROW");
	require(Address.isContract(_escrow), "INVALID_ESCROW");

Title: Boolean comparison

Proof of Concept: L1GraphTokenGateway.sol#L214

Recommended Mitigation Steps: Change from callhookWhitelist[msg.sender] == true to callhookWhitelist[msg.sender]

Title: abi.encode() is less efficient than abi.encodePacked()

Proof of Concept: GraphTokenUpgradeable.sol#L162 L1GraphTokenGateway.sol#L249 L2GraphTokenGateway.sol#L174

Title: Gas improvement on returning from and extraData value

Proof of Concept: L2GraphTokenGateway.sol#L286

Recommended Mitigation Steps: by set from and extraData in returns L#286 and delete L#287-288 can save gas

function parseOutboundData(bytes memory _data) private view returns (address from, bytes memory extraData) { //@audit-info: set here
        if (msg.sender == l2Router) {
            (from, extraData) = abi.decode(_data, (address, bytes));
        } else {
            from = msg.sender;
            extraData = _data;
        }
        return (from, extraData);
    }

Title: Gas improvement on returning id value

Proof of Concept: GraphTokenUpgradeable.sol#L195

Recommended Mitigation Steps: by set id in returns L#195 and delete L#196 can save gas

function _getChainID() private pure returns (uint256 id) { //@audit-info: set here
        // solhint-disable-next-line no-inline-assembly
        assembly {
            id := chainid()
        }
        return id;
    }

Title: Expression for constant values such as a call to keccak256(), should use immutable rather than constant

Proof of Concept: GraphTokenUpgradeable.sol#L34-L37 GraphTokenUpgradeable.sol#L42-L45

Recommended Mitigation Steps: Change from constant to immutable reference: here

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter