Back to defsec's contests

Nested Finance contest - defsec's results

The one-stop Defi app to build, manage and monetize your portfolio.

General Information

Platform: Code4rena

Start Date: 10/02/2022

Pot Size: $30,000 USDC

Total HM: 5

Participants: 24

Period: 3 days

Judge: harleythedog

Total Solo HM: 3

Id: 86

League: ETH

Nested Finance

Findings Distribution

Researcher Performance

Rank: 22/24

Findings: 1

Award: $75.57

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNested Finance

Findings Information

🌟 Selected for report: pauliax

Also found by: 0x1f8b, Dravee, GreyArt, Omik, ShippooorDAO, Tomio, bobi, cmichel, csanuragjain, defsec, gzeon, kenta, kenzo, m_smirnova2020, rfa, robee, sirhashalot, ye0lde

Awards

75.5694 USDC - $75.57

Labels

bug
G (Gas Optimization)
sponsor acknowledged

External Links

Link to GitHub issue

C4-001 : Use of constant keccak variables results in extra hashing (and so gas)

Impact - Gas Optimization

That would Increase gas costs on all privileged operations.

Proof of Concept

  1. Navigate to the following contract function and lines.
https://github.com/code-423n4/2022-02-nested/blob/main/contracts/abstracts/OwnableProxyDelegation.sol#L15
  1. This results in the keccak operation being performed whenever the variable is used, increasing gas costs relative to just storing the output hash. Changing to immutable will only perform hashing on contract deployment which will save gas.

See: ethereum/solidity#9232 (https://github.com/ethereum/solidity/issues/9232#issuecomment-646131646)

Tools Used

Code Review

Consider to change the variable to be immutable rather than constant.

C4-002 : Use of _msgSender()

Impact

The use of _msgSender() when there is no implementation of a meta transaction mechanism that uses it, such as EIP-2771, very slightly increases gas consumption.

Proof of Concept

_msgSender() is utilized three times where msg.sender could have been used in the following function.

https://github.com/code-423n4/2022-02-nested/blob/main/contracts/abstracts/OwnableProxyDelegation.sol#L40

Tools Used

None

Replace _msgSender() with msg.sender if there is no mechanism to support meta-transactions like EIP-2771 implemented.

C4-003 : Immutable variables

Impact

'immutable' greatly reduces gas costs. There are variables that do not change so they can be marked as immutable to greatly improve the gas costs.

Proof of Concept

  1. For instance : https://github.com/code-423n4/2022-02-nested/blob/main/contracts/abstracts/OwnableProxyDelegation.sol#L18

Tools Used

Code Review

Mark variables as immutable.

#0 - maximebrugel

2022-02-17T13:27:57Z

"C4-001 : Use of constant keccak variables results in extra hashing (and so gas)" (Acknowledged)

"C4-002 : Use of _msgSender()" (Disputed)

In the examples, we need _msgSender().

"C4-003 : Immutable variables" (Disputed)

Very vague, and the example can't be immutable.

#1 - harleythedogC4

2022-03-06T20:03:54Z

My personal judgements:

  1. "Use of constant keccak variables results in extra hashing". This surfaced in a previous audit, but in a different part of the code. So this is Valid and small-optimization.
  2. "Use of _msgSender()". As sponsor describes above, Invalid.
  3. "Immutable variables". The example given is not valid, and it is the only example given. Invalid.

#2 - harleythedogC4

2022-03-13T06:16:41Z

Now, here is the methodology I used for calculating a score for each gas report. I first assigned each submission to be either small-optimization (1 point), medium-optimization (5 points) or large-optimization (10 points), depending on how useful the optimization is. The score of a gas report is the sum of these points, divided by the maximum number of points achieved by a gas report. This maximum number was 10 points, achieved by #67.

The number of points achieved by this report is 1 points. Thus the final score of this gas report is (1/10)*100 = 10.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter