Back to catchup's contests

Backd Tokenomics contest - catchup's results

Maximize the power of your assets and start earning yield

General Information

Platform: Code4rena

Start Date: 27/05/2022

Pot Size: $75,000 USDC

Total HM: 20

Participants: 58

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 15

Id: 131

League: ETH

Backd

Findings Distribution

Researcher Performance

Rank: 39/58

Findings: 2

Award: $171.45

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBackd

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0xNazgul, 0xf15ers, BowTiedWardens, Chom, Funen, Kaiziron, Kumpa, MiloTruck, Picodes, Ruhum, SecureZeroX, Sm4rty, SmartSek, StyxRave, WatchPug, Waze, asutorufos, bardamu, berndartmueller, c3phas, catchup, cccz, codexploder, cryptphi, defsec, delfin454000, dipp, fatherOfBlocks, gzeon, hake, hansfriese, hyh, masterchief, oyc_109, sach1r0, sashik_eth, shenwilly, simon135, unforgiven

Awards

113.5243 USDC - $113.52

Labels

bug
QA (Quality Assurance)
resolved
sponsor confirmed

External Links

Link to GitHub issue

Each event can have up to three indexed fields.

The address arguments of the below events can be made indexed.

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L29 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/interfaces/vendor/ICvxLocker.sol#L54 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/Minter.sol#L58 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/zaps/PoolMigrationZap.sol#L18

Use scientific notation (for example; 1E9) for large multiples of 10 to improve readability

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/utils/CvxMintAmount.sol#L10-L12

Missing NatSpec comments

Many functions have no NatSpec comments at all. Even the functions which have NatSpec comments are missing @param, @return values.

Lines of code

Just a few examples. Below functions have no NatSpec: https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/KeeperGauge.sol#L110 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/utils/CvxMintAmount.sol#L16 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L56

#0 - GalloDaSballo

2022-06-20T15:42:42Z

Each event can have up to three indexed fields.

Informational and valid

Use scientific notation (for example; 1E9) for large multiples of 10 to improve readability

Personally don't mind either option

Missing NatSpec comments

Valid and non-critical

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, Chom, Dravee, Fitraldys, Funen, Kaiziron, MiloTruck, Picodes, Randyyy, RoiEvenHaim, SecureZeroX, Sm4rty, SmartSek, StyxRave, Tadashi, Tomio, Waze, asutorufos, berndartmueller, c3phas, catchup, csanuragjain, defsec, delfin454000, djxploit, fatherOfBlocks, gzeon, hake, hansfriese, oyc_109, robee, sach1r0, sashik_eth, scaraven, simon135

Awards

57.93 USDC - $57.93

Labels

bug
G (Gas Optimization)
resolved
sponsor confirmed

External Links

Link to GitHub issue

Using != 0 is cheaper than > 0 when used on a uint in a require() statement with the optimizer enabled

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L104 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L125 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/BkdLocker.sol#L91-L92 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/BkdLocker.sol#L137 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/KeeperGauge.sol#L140 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L84

Unnecessary variable definition in BkdLocker.sol, executeUnlocks() function

"length" is assigned to "i" and "i" is used for further operations, however "length" is never accessed again. Therefore, "length" can be directly used. Can be changed from this:

        uint256 i = length;					//@audit gas no need to assign to i, directly use length
        while (i > 0) {
            i = i - 1;
            if (stashedWithdraws[i].releaseTime <= block.timestamp) {
                totalAvailableToWithdraw += stashedWithdraws[i].amount;

                stashedWithdraws[i] = stashedWithdraws[stashedWithdraws.length - 1];

                stashedWithdraws.pop();
            }
        }

To this:

        while (length > 0) {
            length--;
            if (stashedWithdraws[length].releaseTime <= block.timestamp) {
                totalAvailableToWithdraw += stashedWithdraws[length].amount;

                stashedWithdraws[length] = stashedWithdraws[stashedWithdraws.length - 1];

                stashedWithdraws.pop();
            }
        }

for index can be made unchecked

All the for indexes are made unchecked except this one.

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/zaps/PoolMigrationZap.sol#L22

Redundant initialisation to default value

keeperGaugeExists initialised with default value.

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/InflationManager.sol#L412

Public state variables and immutables can be made private

Most of the public state variables, immutables and constants do not need to be public. Hence, they can be private to save gas.

Lines of code

There are many instances, for example; https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/Minter.sol#L25-L53 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L25-L32

Execution of strict inequalities are cheaper than non-strict inequalities

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/utils/CvxMintAmount.sol#L24 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/Minter.sol#L190

Prefix increment/decrements are cheaper than postfix

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/KeeperGauge.sol#L59 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/KeeperGauge.sol#L98

#0 - GalloDaSballo

2022-06-17T23:54:48Z

Using != 0 is cheaper than > 0 when used on a uint in a require() statement with the optimizer enabled

3 per instance 6 * 3 = 18

Unnecessary variable definition in BkdLocker.sol, executeUnlocks() function

Saves 6 gas

for index can be made unchecked

20

Redundant initialisation to default value

3 gas

Public state variables and immutables can be made private

Personally disagree but also doesn't save runtime gas

Execution of strict inequalities are cheaper than non-strict inequalities

3 gas per instance 6

Prefix increment/decrements are cheaper than postfix

5 per instance 10

Total Gas Saved 63

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter