Platform: Code4rena
Start Date: 22/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 133
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 165
League: ETH
Rank: 71/133
Findings: 2
Award: $40.83
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rotcivegaf
Also found by: 0x040, 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, B2, Bahurum, Bnke0x0, Ch_301, CodingNameKiki, Deivitto, Diana, Funen, IllIllI, JC, JLevick, KIntern_NA, Lambda, OptimismSec, PaludoX0, RockingMiles, Rolezn, Sm4rty, Soosh, Tagir2003, Tointer, TomJ, Triangle, Trust, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, asutorufos, ayeslick, aysha, bbuddha, bharg4v, bobirichman, brgltd, bytera, c3phas, cryptostellar5, cryptphi, csanuragjain, datapunk, delfin454000, durianSausage, exd0tpy, gogo, got_targ, jag, joestakey, karanctf, ladboy233, leosathya, lukris02, mics, millersplanet, natzuu, neko_nyaa, obront, oyc_109, parashar, peritoflores, rbserver, ret2basic, rokinot, ronnyx2017, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, tnevler, yasir, yongskiws
28.0172 USDC - $28.02
L-1 Missing zero approval before approval USDT requires the approved amount to be zero before approving a non-zero amount. Even though the approved amount is expected to always be zero at the beginning of tx (since the swapper always uses all of the approved amount), it's better to approve zero to avoid any kind of errors (even if there's 1 wei of USDT left approved due to some error or rounding with the swapper, it'll make the functions that use approval unusable).
https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L75
L-2 Missing checks for address(0x0) when assigning values to address state variables https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L41
https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L52-L65
When these variables set incorrectly the lending pair functionality become mostly unusable
Informative
event should use three indexed fields if there are three or more fields.https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L212 https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L214 https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L207 https://github.com/code-423n4/2022-09-frax/blob/main/src/ERC20/ERC20PermitPermissionedMint.sol#L102-L103
Non-library/interface files should use fixed compiler versions, not floating ones https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L2 https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L2 https://github.com/code-423n4/2022-09-frax/blob/main/src/sfrxETH.sol#L2 https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETH.sol#L2
Missing @return NATSPEC https://github.com/code-423n4/2022-09-frax/blob/main/src/sfrxETH.sol#L75 https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L70
🌟 Selected for report: pfapostol
Also found by: 0x040, 0x1f8b, 0x4non, 0x5rings, 0xA5DF, 0xNazgul, 0xSmartContract, 0xmatt, 0xsam, Amithuddar, Aymen0909, B2, Ben, Bnke0x0, Chom, CodingNameKiki, Deivitto, Diana, Fitraldys, Funen, IllIllI, JAGADESH, JC, Metatron, Ocean_Sky, PaludoX0, Pheonix, RaymondFam, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Satyam_Sharma, Sm4rty, SnowMan, SooYa, Tagir2003, TomJ, Tomio, Triangle, V_B, Waze, __141345__, ajtra, albincsergo, asutorufos, aysha, beardofginger, bobirichman, brgltd, bulej93, bytera, c3phas, ch0bu, cryptostellar5, cryptphi, d3e4, delfin454000, dharma09, drdr, durianSausage, emrekocak, erictee, fatherOfBlocks, gogo, got_targ, imare, jag, karanctf, ladboy233, leosathya, lukris02, medikko, mics, millersplanet, natzuu, neko_nyaa, oyc_109, peanuts, prasantgupta52, rbserver, ret2basic, rokinot, ronnyx2017, rotcivegaf, sach1r0, samruna, seyni, slowmoses, tnevler, wagmi, zishansami
12.8108 USDC - $12.81
G-1 Public function visibility can be made external If a function is never called from the contract it should be marked as external. This will save gas.
https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L171 https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L197
G-2 use of custom errors rather than revert() / require() error message https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L46 https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L137 https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L182 https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L203 https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L79 https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L87 https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L88
G-3 use != rather than >0 for unsigned integers in require() statements When the optimizer is enabled, gas is wasted by doing a greater-than operation, rather than a not-equals operation inside require() statements. When Using != , the optimizer is able to avoid the EQ, ISZERO, and associated operations, by relying on the JUMPI that comes afterwards, which itself checks for zero. https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L79 https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L126
G-4 In for loops is not needed to initialize indexes to 0 as it is the default uint/int value. This saves gas.
https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L63 https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L84 https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L114 https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L129 https://github.com/code-423n4/2022-09-frax/blob/main/src/ERC20/ERC20PermitPermissionedMint.sol#L84
G-5 .length should no be looked up in every loop of a for-loop https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L114 https://github.com/code-423n4/2022-09-frax/blob/main/src/ERC20/ERC20PermitPermissionedMint.sol#L84