Platform: Code4rena
Start Date: 04/01/2022
Pot Size: $75,000 USDC
Total HM: 17
Participants: 33
Period: 7 days
Judge: 0xean
Total Solo HM: 14
Id: 74
League: ETH
Rank: 5/33
Findings: 3
Award: $2,145.59
🌟 Selected for report: 4
🚀 Solo Findings: 1
🌟 Selected for report: danb
1703.8454 USDC - $1,703.85
danb
when a user mints new liquidity, it the pair doesn't already exist, it deploys it.
deploying a new contract on ethereum is super expensive, especially when it's such a large contract like TimeswapPair, it can cost thousands of dollars.
user who try to mint liquidity on pair that doesn't exist will end up paying thousands of dollars.
If the pair doesn't exist, revert instead of deploying it. deploying a new contract should be the user's choice, since it's so expensive.
#0 - Mathepreneur
2022-01-18T16:26:46Z
We plan to have a better documentation to show this behavior.
#1 - 0xean
2022-01-25T16:15:04Z
Downgrading to med risk, this isn't an attack vector and is working as designed. Funds aren't being lost or compromised in any way.
The issue is with the design, which could be potentially improved.
255.5768 USDC - $255.58
danb
the contract should receive ether only from weth,
consider adding:
require(msg.sender == weth);
#0 - Mathepreneur
2022-01-17T20:34:59Z
The msg.sender should also be able to send ETH into this contract too, for any ETH deposit related calls.
#1 - Mathepreneur
2022-01-18T16:37:59Z
🌟 Selected for report: danb
93.0809 USDC - $93.08
danb
y <= x
can be removed
#0 - Mathepreneur
2022-01-17T20:31:36Z
🌟 Selected for report: danb
93.0809 USDC - $93.08
danb
deploying the same contract many times is very very expensive, consider using clones of openzeppelin: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v3.4.0/contracts/proxy/Clones.sol
#0 - Mathepreneur
2022-01-18T16:30:43Z
While it will be expensive to deploy a full contract, it will be cheaper in the long run, since each call to the contract will be cheaper in gas cost.
#1 - 0xean
2022-01-25T21:54:54Z
marking as gas-optimization.