Platform: Code4rena
Start Date: 03/02/2022
Pot Size: $75,000 USDC
Total HM: 42
Participants: 52
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 21
Id: 83
League: ETH
Rank: 35/52
Findings: 3
Award: $223.07
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: mtz
Also found by: 0x1f8b, Czar102, GalloDaSballo, GeekyLumberjack, Randyyy, Rhynorater, Ruhum, ShadowyNoobDev, bitbopper, cccz, cmichel, csanuragjain, danb, gzeon, hickuphh3, hyh, leastwood
31.0722 USDC - $31.07
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/Shelter.sol#L52:L58
Multiple withdraws can reduce total supply in shelter
The shelter saves that a users have withdrawn - but never checks it to prevent multiple withdraws.
https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/Shelter.sol#L55https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/Shelter.sol#L53Check if user has withdrawn from shelter already in mentioned line L53
I am assuming here, that the shelter client is not backstopping multiple withdraws. Multiple reasons for me to believe so:
https://github.com/code-423n4/2022-02-concur/tree/shelter-client) given by leekt216 in discord does not backstop multiple withdrawL55. Saving in an unreleased ShelterClient and in Shelter.sol plus emitting an Event in https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/Shelter.sol#L56 would be wasteful.#0 - r2moon
2022-02-18T01:42:52Z
#1 - GalloDaSballo
2022-04-19T01:08:42Z
Dup of #246
🌟 Selected for report: hickuphh3
Also found by: 0x1f8b, 0xw4rd3n, BouSalman, CertoraInc, Czar102, Dravee, IllIllI, Randyyy, Rhynorater, Ruhum, ShadowyNoobDev, Sleepy, SolidityScan, WatchPug, bitbopper, cccz, cryptphi, csanuragjain, defsec, gzeon, harleythedog, hubble, hyh, kenta, kirk-baird, leastwood, mtz, pauliax, peritoflores, rfa, robee, samruna, throttle, wuwe1, ye0lde
125.0194 USDC - $125.02
https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/VoteProxy.sol#L28:L36
#0 - GalloDaSballo
2022-04-21T16:55:54Z
Agree as non-critical / informational finding
#1 - GalloDaSballo
2022-04-27T14:55:00Z
0.5
🌟 Selected for report: WatchPug
Also found by: 0x0x0x, 0x1f8b, 0x510c, 0xNot0rious, 0xngndev, BouSalman, CertoraInc, Dravee, Heartless, IllIllI, Jujic, Randyyy, Ruhum, ShadowyNoobDev, Sleepy, SolidityScan, Tomio, bitbopper, csanuragjain, defsec, gzeon, hickuphh3, kenta, mtz, pauliax, peritoflores, rfa, robee, sabtikw, throttle, wuwe1, ye0lde
66.977 USDC - $66.98
https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/USDMPegRecovery.sol#L24https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/USDMPegRecovery.sol#L22https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/StakingRewards.sol#L19https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/StakingRewards.sol#L20#0 - GalloDaSballo
2022-03-30T00:26:43Z
Remove variable Should save the cost of one SSTORE which is 20k gas
Make variable immutable The warden could have made a killing here had they spent the extra time linking all the instances Because they just linked the variables, so will give each of the findings one SLOAD value. 2100 * 3
Total Gas saved: 26300
Due to the simplicity, the report doesn't require formatting
#1 - GalloDaSballo
2022-04-02T13:26:06Z
Am changing the way I calculate gas savings to mostly run-time so am removing the 20k gas New total is 6300