Platform: Code4rena
Start Date: 15/06/2022
Pot Size: $30,000 USDC
Total HM: 5
Participants: 55
Period: 3 days
Judge: Jack the Pug
Id: 138
League: ETH
Rank: 32/55
Findings: 2
Award: $86.84
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xFar5eer, 0xNazgul, 0xNineDec, 242, Chom, Czar102, Funen, GimelSec, Meera, Picodes, Sm4rty, Tadashi, TerrierLover, Waze, _Adam, a12jmx, asutorufos, codexploder, cryptphi, defsec, gzeon, hyh, joestakey, minhquanym, oyc_109, reassor, robee, saian, sorrynotsorry, unforgiven, zzzitron
57.5155 USDC - $57.52
Contract: https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L391
Issue: The performUpkeep can use checkUpkeep to understand if upkeepNeeded is needed or not. Otherwise performUpkeep will simply fail
Recommendation: Add below check:
function performUpkeep(bytes calldata performData) external { (bool check,) =checkUpkeep(performData); if(check) LOCKER.processExpiredLocks(false); }
Contract: https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L136
Issue: In function _isTendable, Instead of hardcoding false/true, use a variable which can allow/disallow tending on calling this function
Recommendation: Add a new function like below:
bool tendable; function setTendable(bool value) internal pure override returns (bool) { _onlyGovernanceOrStrategist(); tendable=value; } function _isTendable() internal pure override returns (bool) { return tendable; // Change to true if the strategy should be tended }
Contract: https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L107
Issue: In function sweepRewardToken, Comment mentions "because token paths are hardcoded, this function is safe to be called by anyone" but still restriction is placed and this function is only callable by _onlyGovernanceOrStrategist
Recommendation: If this is meant for external use remove the restriction for _onlyGovernanceOrStrategist
Contract: https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L79
Issue: In function manualSetDelegate, Zero address check is missing while setting delegate. Same fix required for setBribesProcessor
Recommendation: Check if provided delegate is not address(0)
require(delegate!=address(0);,"Incorrect address");
Contract: https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L182
Issue: The name of function is giving wrong impression. This function is not withdrawing anything and is just checking whether contract holding is empty now.
Recommendation: Change the function name to isHoldingEmpty or something which clearly states functionality
Contract: https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L1
Issue: Too many functions are present which are processing locked balances like manualProcessExpiredLocks, performUpkeep.
Recommendation: Remove extra function like manualProcessExpiredLocks which can be replaced with performUpkeep
#0 - GalloDaSballo
2022-06-19T01:37:05Z
Disagree per the Chainlink documentation
Hardcoding saves gas ser
##Â Incorrect Function implementation Disagree that is incorrect as we opted to have the check while trying to build it with the goal of opening up one day
Quantstamp would agree
Check Vault1.5
Probably a good idea to remove the extra stuff
29.3239 USDC - $29.32
Contract: https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L396
Issue: The _getBalance and _getPricePerFullShare can be marked as view
Recommendation: Change the function as below:
function _getBalance() internal view returns (uint256) { return IVault(vault).balance(); } function _getPricePerFullShare() internal view returns (uint256) { return IVault(vault).getPricePerFullShare(); }
Make use of ++i which is unchecked instead of i++ in loops. This will prevent gas on each loop run. One such example is at MyStrategy.sol#L116
#0 - GalloDaSballo
2022-06-19T01:35:06Z
I don't believe this saves gas
CALL and STATICCALL cost 100 both
Saves 5 gas per instance