Axelar Network v2 contest - benbaessler's results

[L-01] Use a more recent version of Solidity

Use a solidity version of at least 0.8.0 to get overflow protection without SafeMath Use a solidity version of at least 0.8.2 to get simple compiler automatic inlining Use a solidity version of at least 0.8.3 to get better struct packing and cheaper multiple storage reads Use a solidity version of at least 0.8.4 to get custom errors, which are cheaper at deployment than revert()/require() strings Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value

[L-02] Use of floating pragma

Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively. Consider locking the pragma version to the same version as used in the other contracts.

https://swcregistry.io/docs/SWC-103

There are 5 instances of this issue:

IDepositBase.sol IAxelarAuth.sol IAxelarGasService.sol IAxelarDepositService.sol IAxelarAuthWeighted.sol

[L-03] Missing zero-address check in constructor and setter functions

Missing checks for zero-addresses may lead to infunctional protocol, if the variable addresses are updated incorrectly. Consider adding something like require(newAddr != address(0));.

There is 1 instance of this issue:

XC20Wrapper.sol#L26

[N-01] Natspec is incomplete

Add @notice @param @return comments where applicable.

There are 6 instances of this issue:

AxelarGasService.sol DepositBase.sol AxelarDepositService.sol ReceiverImplementation.sol AxelarAuthWeighted.sol XC20Wrapper.sol

[N-02] Event is missing indexed fields

Each event should use 3 indexed fields if there are 3 or more fields.

There are 7 instances of this issue:

IAxelarGasService.sol#L13-L57 IAxelarAuthWeighted.sol#L14

[G-01] Functions guaranteed to revert when called normal users can be marked payable

If a function modifier such as onlyOwner is used, the function will revert if a normal user tries to pay the function. Marking the function as payable will lower the gas cost for legitimate callers because the compiler will not include checks for whether a payment was provided.

There are 5 instances of this issue:

AxelarGasService.sol#L120 AxelarGasService.sol#L140 AxelarAuthWeighted.sol#L47 XC20Wrapper.sol#L44 XC20Wrapper.sol#L66

[G-02] <array>.length should not be looked up in every loop of a for-loop

The overheads outlined below are PER LOOP, excluding the first loop

• storage arrays incur a Gwarmaccess (100 gas)
• memory arrays use MLOAD (3 gas)
• calldata arrays use CALLDATALOAD (3 gas)

Caching the length changes each of these to a DUP<N> (3 gas), and gets rid of the extra DUP<N> needed to store the stack offset

There are 7 instances of this issue:

AxelarGasService.sol#L123 AxelarDepositService.sol#L114 AxelarDepositService.sol#L168 AxelarDepositService.sol#L204 AxelarAuthWeighted.sol#L17 AxelarAuthWeighted.sol#L98 AxelarAuthWeighted.sol#L116

[G-03] ++i costs less gas than i++, especially when it's used in for-loops (--i/i-- too)

Saves 6 gas per loop.

There are 4 instances of this issue:

AxelarGasService.sol#L123 AxelarDepositService.sol#L114 AxelarDepositService.sol#L168 AxelarDepositService.sol#L204

[G-04] Increments can be unchecked

In Solidity 0.8+, there’s a default overflow check on unsigned integers. It’s possible to uncheck this in for-loops and save some gas at each iteration, but at the cost of some code readability, as this uncheck cannot be made inline.

ethereum/solidity#10695

There are 10 instances of this issue:

AxelarGasService.sol#L123 AxelarDepositService.sol#L114 AxelarDepositService.sol#L168 AxelarDepositService.sol#L204 AxelarAuthWeighted.sol#L17 AxelarAuthWeighted.sol#L69 AxelarAuthWeighted.sol#L98 AxelarAuthWeighted.sol#L101 AxelarAuthWeighted.sol#L109 AxelarAuthWeighted.sol#L116

[G-05] No need to explicitly initialize variables with default values

If a variable is not set/initialized, it is assumed to have the default value (0 for uint, false for bool, address(0) for address…). Explicitly initializing it with its default value is an anti-pattern and wastes gas. As an example: for (uint256 i = 0; i < numIterations; ++i) { should be replaced with for (uint256 i; i < numIterations; ++i) {

There are 5 instances of this issue:

AxelarAuthWeighted.sol#L68-L69 AxelarAuthWeighted.sol#L94-L98

[G-06] x = x + y is cheaper than x += y

There are 2 instances of this issue:

AxelarAuthWeighted.sol#L70 AxelarAuthWeighted.sol#L105

[G-07] Usage of uints/ints smaller than 32 bytes (256 bits) incurs overhead

When using elements that are smaller than 32 bytes, your contract’s gas usage may be higher. This is because the EVM operates on 32 bytes at a time. Therefore, if the element is smaller than that, the EVM must use more operations in order to reduce the size of the element from 32 bytes to the desired size.

https://docs.soliditylang.org/en/v0.8.11/internals/layout_in_storage.html Use a larger size then downcast where needed

There is 1 instance of this issue:

AxelarAuthWeighted.sol#L14

[G-08] Use custom error rather than revert()/require() strings to save deployment gas

Custom errors are available from solidity version 0.8.4. The instances below match or exceed that version.

There are 15 instances of this issue

XC20Wrapper.sol Search for revert