Platform: Code4rena
Start Date: 30/11/2021
Pot Size: $100,000 USDC
Total HM: 15
Participants: 36
Period: 7 days
Judge: 0xean
Total Solo HM: 4
Id: 62
League: ETH
Rank: 13/36
Findings: 2
Award: $2,625.09
🌟 Selected for report: 4
🚀 Solo Findings: 0
🌟 Selected for report: defsec
defsec
function flashLoan in contract Locke.sol does not return a boolean. flashLoan is declared as a function that should return a boolean value, however, in contract Locke there is no return statement so it always gets a default value of false (while base function always returns the opposite, a.k.a true).
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol
Go to the line - https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L723
Function does not return a value.
None
It should return super.flashLoan(...).
🌟 Selected for report: defsec
defsec
The ecrecover function is used in permit() to recover the address from the signature. The built-in EVM precompile ecrecover is susceptible to signature malleability which could lead to replay attacks (references: https://swcregistry.io/docs/SWC-117, https://swcregistry.io/docs/SWC-121 and https://medium.com/cryptronics/signature-replay-vulnerabilities-in-smart-contracts-3b6f7596df57).
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/LockeERC20.sol#L156
None
Consider using OpenZeppelin’s ECDSA library (which prevents this malleability) instead of the built-in function.
🌟 Selected for report: defsec
805.8152 USDC - $805.82
defsec
Stream protocol allows different tokens to be used as collateral or underlying. The Dex contracts do not appear to support rebasing/deflationary/inflationary tokens whose balance changes during transfers or over time. The necessary checks include at least verifying the amount of tokens transferred to contracts before and after the actual transfer to infer any fees/interest.
Stream whitelists a rebasing/deflationary/inflationary token to be used as collateral or underlying by accident. This leads to miscalculations between internal Pool accounting and the balances in the token contracts.
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L424
Code Review
defsec
Using newer compiler versions and the optimizer gives gas optimizations and additional safety checks are available for free.
The advantages of versions 0.8.* over <0.8.0 are:
"All Contracts"
None
Consider to upgrade pragma to at least 0.8.4.
#0 - brockelmore
2021-12-06T17:02:41Z
duplicate #103.
Note @ judges. This duplicate looks like this user may be trying to sybil.
defsec
This does not directly impact the smart contract in anyway besides cost. This is a gas optimization to reduce cost of smart contract. Calling each function, we can see that the public function uses 496 gas, while the external function uses only 261.
According to Slither Analyzer documentation (https://github.com/crytic/slither/wiki/Detector-Documentation#public-function-that-could-be-declared-external), there are functions in the contract that are never called. These functions should be declared as external in order to save gas.
Slither Detector:
external-function:
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L532
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L516
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L500
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L487
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L455
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L417
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L377
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L365
Slither
#0 - 0xean
2022-01-17T13:44:10Z
dupe of #260
18.2633 USDC - $18.26
defsec
For the arithmetic operations that will never over/underflow, using the unchecked directive (Solidity v0.8 has default overflow/underflow checks) can save some gas from the unnecessary internal over/underflow checks.
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L360
None
Consider applying unchecked arithmetic where overflow/underflow is not possible.
#0 - 0xean
2022-01-17T13:42:20Z
dupe of #238
🌟 Selected for report: defsec
defsec
Various projects (e.g. Uniswap - https://github.com/Uniswap/interface/blob/main/src/hooks/useApproveCallback.ts#L88 , see here 1 using the constant MaxUint256 from ethers.js) set the default value of the user's allowance to 2^256 - 1. Now the value 2^256 - 1 can also be represented in hex as 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. From Ethereum's yellow paper we know that zeros are cheaper than non-zero values in the hex representation. Considering this fact, an alternative choice could be now 0x8000000000000000000000000000000000000000000000000000000000000000 or 2^255 to represent "infinity". If you do the calculations with Remix, you will see that the former costs 47'872 gas, while the latter costs 45'888 gas. If you accept that infinity can also be represented via 2^255 (instead of 2^256-1) - and I think most projects can live with that - you can already save 1'984 gas (or 4.1%) leveraging this optimisation trick.
"https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/LockeERC20.sol#L113"
Code Review
Change 2^256-1 With 2^255.
https://ethereum.github.io/yellowpaper/paper.pdf
https://forum.openzeppelin.com/t/a-collection-of-gas-optimisation-tricks/19966