Platform: Code4rena
Start Date: 29/06/2022
Pot Size: $50,000 USDC
Total HM: 20
Participants: 133
Period: 5 days
Judge: hickuphh3
Total Solo HM: 1
Id: 142
League: ETH
Rank: 43/133
Findings: 3
Award: $130.46
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: xiaoming90
Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xSolus, 0xf15ers, 0xsanson, AmitN, Bnke0x0, BowTiedWardens, Chom, David_, ElKu, Funen, GalloDaSballo, GimelSec, Hawkeye, IllIllI, JC, JohnSmith, Kaiziron, Kenshin, Lambda, Limbooo, MadWookie, Metatron, MiloTruck, Nethermind, Picodes, ReyAdmirado, Sneakyninja0129, StErMi, TomJ, Treasure-Seeker, TrungOre, Waze, Yiko, _Adam, __141345__, antonttc, async, aysha, catchup, cccz, cryptphi, csanuragjain, danb, datapunk, defsec, delfin454000, dirk_y, doddle0x, durianSausage, exd0tpy, fatherOfBlocks, gogo, hake, hansfriese, horsefacts, hubble, itsmeSTYJ, joestakey, oyc_109, pedroais, peritoflores, rajatbeladiya, reassor, robee, rokinot, samruna, saneryee, sashik_eth, shenwilly, shung, simon135, sseefried, unforgiven, zer0dot, zzzitron
49.346 USDC - $49.35
The protocol is using low level calls with solidity version 0.8.9 which can result in optimizer bug.
https://medium.com/certora/overly-optimistic-optimizer-certora-bug-disclosure-2101e3f7994d
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/LiquidityReserve.sol#L2
Code Review
Consider upgrading to solidity 0.8.15.
The critical procedures should be two step process. The contracts inherit OpenZeppelin's Ownable contract which enables the onlyOwner role to transfer ownership to another address. It's possible that the onlyOwner role mistakenly transfers ownership to the wrong address, resulting in a loss of the onlyOwner role. The current ownership transfer process involves the current owner calling Unlock.transferOwnership(). This function checks the new owner is not the zero address and proceeds to write the new owner's address into the owner's state variable. If the nominated EOA account is not a valid account, it is entirely possible the owner may accidentally transfer ownership to an uncontrolled account, breaking all functions with the onlyOwner() modifier. Lack of two-step procedure for critical operations leaves them error-prone if the address is incorrect, the new address will take on the functionality of the new role immediately
for Ex : -Alice deploys a new version of the whitehack group address. When she invokes the whitehack group address setter to replace the address, she accidentally enters the wrong address. The new address now has access to the role immediately and is too late to revert
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L53
Code Review
Lack of two-step procedure for critical operations leaves them error-prone. Consider adding two step procedure on the critical functions.
Block timestamps have historically been used for a variety of applications, such as entropy for random numbers (see the Entropy Illusion for further details), locking funds for periods of time, and various state-changing conditional statements that are time-dependent. Miners have the ability to adjust timestamps slightly, which can prove to be dangerous if block timestamps are used incorrectly in smart contracts.
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L290
Manual Code Review
Block timestamps should not be used for entropy or generating random numbers—i.e., they should not be the deciding factor (either directly or through some derivation) for winning a game or changing an important state.
Time-sensitive logic is sometimes required; e.g., for unlocking contracts (time-locking), completing an ICO after a few weeks, or enforcing expiry dates. It is sometimes recommended to use block.number and an average block time to estimate times; with a 10 second block time, 1 week equates to approximately, 60480 blocks. Thus, specifying a block number at which to change a contract state can be more secure, as miners are unable to easily manipulate the block number.
Putty protocol do not appear to support rebasing/deflationary/inflationary tokens whose balance changes during transfers or over time. The necessary checks include at least verifying the amount of tokens transferred to contracts before and after the actual transfer to infer any fees/interest.
During the NFT operations, If the inflationary/deflationary tokens are used excepted amount will be lower than deposit.
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L324
Manual Code Review
When smart contracts are deployed or functions inside them are called, the execution of these actions always requires a certain amount of gas, based of how much computation is needed to complete them. The Ethereum network specifies a block gas limit and the sum of all transactions included in a block can not exceed the threshold.
Programming patterns that are harmless in centralized applications can lead to Denial of Service conditions in smart contracts when the cost of executing a function exceeds the block gas limit. Modifying an array of unknown size, that increases in size over time, can lead to such a Denial of Service condition.
2022-06-putty-main/contracts/src/PuttyV2.sol::556 => for (uint256 i = 0; i < orders.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::594 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::598 => require(token.code.length > 0, "ERC20: Token is not contract"); 2022-06-putty-main/contracts/src/PuttyV2.sol::611 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::627 => for (uint256 i = 0; i < floorTokens.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::637 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::647 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::658 => for (uint256 i = 0; i < floorTokens.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::670 => for (uint256 i = 0; i < whitelist.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::728 => for (uint256 i = 0; i < arr.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::742 => for (uint256 i = 0; i < arr.length; i++) {
Code Review
Caution is advised when you expect to have large arrays that grow over time. Actions that require looping across the entire data structure should be avoided.
If you absolutely must loop over an array of unknown size, then you should plan for it to potentially take multiple blocks, and therefore require multiple transactions.
The re-entrancy guard is missing on the some of the functions. The external interactions can cause to the re-entrancy vulnerability.
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L268 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L389
Code Review
Follow the check effect interaction pattern or put re-entrancy guard.
_mint() (https://github.com/OpenZeppelin/openzeppelin-contracts/blob/d4d8d2ed9798cc3383912a23b5e8d5cb602f7d4b/contracts/token/ERC721/ERC721.sol#L271) is discouraged in favor of _safeMint() (https://github.com/Rari-Capital/solmate/blob/4eaf6b68202e36f67cab379768ac6be304c8ebde/src/tokens/ERC721.sol#L180) which ensures that the recipient is either an EOA or implements IERC721Receiver. Both open OpenZeppelin and solmate have versions of this function so that NFTs aren’t lost if they’re minted to contracts that cannot transfer them back out.
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L303 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L308
Code Review
Use _safeMint() instead of _mint().
#0 - outdoteth
2022-07-07T18:30:53Z
C4-007 : # _safeMint() should be used rather than _mint() wherever possible
Duplicate: Contracts that can’t handle ERC721 tokens will lose their Putty ERC721 position tokens: https://github.com/code-423n4/2022-06-putty-findings/issues/327
#1 - HickupHH3
2022-07-15T09:39:33Z
C4-005 : # DoS With Block Gas Limit
could have been a dup of #227, but fails to mention the key point regarding the loss of assets due to failure to exercise option.
🌟 Selected for report: GalloDaSballo
Also found by: 0v3rf10w, 0x1f8b, 0xA5DF, 0xDjango, 0xHarry, 0xKitsune, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xkatana, 0xsanson, ACai, Aymen0909, Bnke0x0, BowTiedWardens, Chom, ElKu, Fitraldys, Funen, Haruxe, Hawkeye, IllIllI, JC, JohnSmith, Kaiziron, Kenshin, Lambda, Limbooo, MadWookie, Metatron, MiloTruck, Picodes, PwnedNoMore, Randyyy, RedOneN, ReyAdmirado, Ruhum, Sm4rty, StErMi, StyxRave, TerrierLover, TomJ, Tomio, UnusualTurtle, Waze, Yiko, _Adam, __141345__, ajtra, ak1, apostle0x01, asutorufos, c3phas, cRat1st0s, catchup, codetilda, cryptphi, datapunk, defsec, delfin454000, durianSausage, exd0tpy, fatherOfBlocks, gogo, grrwahrr, hake, hansfriese, horsefacts, ignacio, jayfromthe13th, joestakey, ladboy233, m_Rassska, mektigboy, minhquanym, mrpathfindr, natzuu, oyc_109, rajatbeladiya, reassor, rfa, robee, rokinot, sach1r0, saian, sashik_eth, simon135, slywaters, swit, z3s, zeesaw, zer0dot
45.9231 USDC - $45.92
[S]: Suggested optimation, save a decent amount of gas without compromising readability;
[M]: Minor optimation, the amount of gas saved is minor, change when you see fit;
[N]: Non-preferred, the amount of gas saved is at cost of readability, only apply when gas saving is a top priority.
> 0 can be replaced with != 0 for gas optimization [S]Shortening revert strings to fit in 32 bytes will decrease deploy time gas and will decrease runtime gas when the revert condition has been met.
Revert strings that are longer than 32 bytes require at least one additional mstore, along with additional overhead for computing memory offset, etc.
Revert strings > 32 bytes are here:
2022-06-putty-main/contracts/src/PuttyV2.sol::284 => require(order.whitelist.length == 0 || isWhitelisted(order.whitelist, msg.sender), "Not whitelisted"); 2022-06-putty-main/contracts/src/PuttyV2.sol::293 => require(order.baseAsset.code.length > 0, "baseAsset is not contract"); 2022-06-putty-main/contracts/src/PuttyV2.sol::295 => // check floor asset token ids length is 0 unless the order type is call and side is long 2022-06-putty-main/contracts/src/PuttyV2.sol::297 => ? require(floorAssetTokenIds.length == order.floorTokens.length, "Wrong amount of floor tokenIds") 2022-06-putty-main/contracts/src/PuttyV2.sol::298 => : require(floorAssetTokenIds.length == 0, "Invalid floor tokens length"); 2022-06-putty-main/contracts/src/PuttyV2.sol::403 => // check floor asset token ids length is 0 unless the position type is put 2022-06-putty-main/contracts/src/PuttyV2.sol::405 => ? require(floorAssetTokenIds.length == order.floorTokens.length, "Wrong amount of floor tokenIds") 2022-06-putty-main/contracts/src/PuttyV2.sol::406 => : require(floorAssetTokenIds.length == 0, "Invalid floor tokenIds length"); 2022-06-putty-main/contracts/src/PuttyV2.sol::551 => require(orders.length == signatures.length, "Length mismatch in input"); 2022-06-putty-main/contracts/src/PuttyV2.sol::552 => require(signatures.length == floorAssetTokenIds.length, "Length mismatch in input");
Manual Review
Shorten the revert strings to fit in 32 bytes. That will affect gas optimization.
For the arithmetic operations that will never over/underflow, using the unchecked directive (Solidity v0.8 has default overflow/underflow checks) can save some gas from the unnecessary internal over/underflow checks.
2022-06-putty-main/contracts/src/PuttyV2.sol::556 => for (uint256 i = 0; i < orders.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::594 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::598 => require(token.code.length > 0, "ERC20: Token is not contract"); 2022-06-putty-main/contracts/src/PuttyV2.sol::611 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::627 => for (uint256 i = 0; i < floorTokens.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::637 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::647 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::658 => for (uint256 i = 0; i < floorTokens.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::670 => for (uint256 i = 0; i < whitelist.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::728 => for (uint256 i = 0; i < arr.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::742 => for (uint256 i = 0; i < arr.length; i++) {
None
Consider applying unchecked arithmetic where overflow/underflow is not possible. Example can be seen from below.
Unchecked{i++};
Since _amount can be 0. Checking if (_amount != 0) before the transfer can potentially save an external call and the unnecessary gas cost of a 0 token transfer.
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L503
All Contracts
None
Consider checking amount != 0.
Using double require instead of operator && can save more gas.
2022-06-putty-main/contracts/src/PuttyV2.sol:296: order.isCall && order.isLong 2022-06-putty-main/contracts/src/PuttyV2.sol:311: if (order.isLong && order.isCall) { 2022-06-putty-main/contracts/src/PuttyV2.sol:327: if (weth == order.baseAsset && msg.value > 0) { 2022-06-putty-main/contracts/src/PuttyV2.sol:343: if (!order.isLong && !order.isCall) { 2022-06-putty-main/contracts/src/PuttyV2.sol:349: if (order.isLong && !order.isCall) { 2022-06-putty-main/contracts/src/PuttyV2.sol:351: if (weth == order.baseAsset && msg.value > 0) { 2022-06-putty-main/contracts/src/PuttyV2.sol:367: if (!order.isLong && order.isCall) { 2022-06-putty-main/contracts/src/PuttyV2.sol:374: if (order.isLong && order.isCall) { 2022-06-putty-main/contracts/src/PuttyV2.sol:427: if (weth == order.baseAsset && msg.value > 0) { 2022-06-putty-main/contracts/src/PuttyV2.sol:495: if ((order.isCall && isExercised) || (!order.isCall && !isExercised)) { 2022-06-putty-main/contracts/src/PuttyV2.sol:509: if ((order.isCall && !isExercised) || (!order.isCall && isExercised)) {
Code Review
Example
using &&: function check(uint x)public view{ require(x == 0 && x < 1 ); } // gas cost 21630 using double require: require(x == 0 ); require( x < 1); } } // gas cost 21622
Strict inequalities add a check of non equality which costs around 3 gas.
2022-06-putty-main/contracts/src/PuttyV2.sol::556 => for (uint256 i = 0; i < orders.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::594 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::598 => require(token.code.length > 0, "ERC20: Token is not contract"); 2022-06-putty-main/contracts/src/PuttyV2.sol::611 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::627 => for (uint256 i = 0; i < floorTokens.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::637 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::647 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::658 => for (uint256 i = 0; i < floorTokens.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::670 => for (uint256 i = 0; i < whitelist.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::728 => for (uint256 i = 0; i < arr.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::742 => for (uint256 i = 0; i < arr.length; i++) {
Code Review
Use >= or <= instead of > and < when possible.
Custom errors from Solidity 0.8.4 are cheaper than revert strings (cheaper deployment cost and runtime cost when the revert condition is met)
Source Custom Errors in Solidity:
Starting from Solidity v0.8.4, there is a convenient and gas-efficient way to explain to users why an operation failed through the use of custom errors. Until now, you could already use strings to give more information about failures (e.g., revert("Insufficient funds.");), but they are rather expensive, especially when it comes to deploy cost, and it is difficult to use dynamic information in them.
Custom errors are defined using the error statement, which can be used inside and outside of contracts (including interfaces and libraries).
Instances include:
2022-06-putty-main/contracts/src/PuttyV2.sol::284 => require(order.whitelist.length == 0 || isWhitelisted(order.whitelist, msg.sender), "Not whitelisted"); 2022-06-putty-main/contracts/src/PuttyV2.sol::293 => require(order.baseAsset.code.length > 0, "baseAsset is not contract"); 2022-06-putty-main/contracts/src/PuttyV2.sol::295 => // check floor asset token ids length is 0 unless the order type is call and side is long 2022-06-putty-main/contracts/src/PuttyV2.sol::297 => ? require(floorAssetTokenIds.length == order.floorTokens.length, "Wrong amount of floor tokenIds") 2022-06-putty-main/contracts/src/PuttyV2.sol::298 => : require(floorAssetTokenIds.length == 0, "Invalid floor tokens length"); 2022-06-putty-main/contracts/src/PuttyV2.sol::403 => // check floor asset token ids length is 0 unless the position type is put 2022-06-putty-main/contracts/src/PuttyV2.sol::405 => ? require(floorAssetTokenIds.length == order.floorTokens.length, "Wrong amount of floor tokenIds") 2022-06-putty-main/contracts/src/PuttyV2.sol::406 => : require(floorAssetTokenIds.length == 0, "Invalid floor tokenIds length"); 2022-06-putty-main/contracts/src/PuttyV2.sol::551 => require(orders.length == signatures.length, "Length mismatch in input"); 2022-06-putty-main/contracts/src/PuttyV2.sol::552 => require(signatures.length == floorAssetTokenIds.length, "Length mismatch in input");
Code Review
Recommended to replace revert strings with custom errors.
A division/multiplication by any number x being a power of 2 can be calculated by shifting log2(x) to the right/left.
While the DIV opcode uses 5 gas, the SHR opcode only uses 3 gas. Furthermore, Solidity's division operation also includes a division-by-0 prevention which is bypassed using shifting.
Contracts
None
A division/multiplication by any number x being a power of 2 can be calculated by shifting log2(x) to the right/left.
In some cases, having function arguments in calldata instead of memory is more optimal.
Consider the following generic example:
contract C { function add(uint[] memory arr) external returns (uint sum) { uint length = arr.length; for (uint i = 0; i < arr.length; i++) { sum += arr[i]; } } }
In the above example, the dynamic array arr has the storage location memory. When the function gets called externally, the array values are kept in calldata and copied to memory during ABI decoding (using the opcode calldataload and mstore). And during the for loop, arr[i] accesses the value in memory using a mload. However, for the above example this is inefficient. Consider the following snippet instead:
contract C { function add(uint[] calldata arr) external returns (uint sum) { uint length = arr.length; for (uint i = 0; i < arr.length; i++) { sum += arr[i]; } } }
In the above snippet, instead of going via memory, the value is directly read from calldata using calldataload. That is, there are no intermediate memory operations that carries this value.
Gas savings: In the former example, the ABI decoding begins with copying value from calldata to memory in a for loop. Each iteration would cost at least 60 gas. In the latter example, this can be completely avoided. This will also reduce the number of instructions and therefore reduces the deploy time cost of the contract.
In short, use calldata instead of memory if the function argument is only read.
Note that in older Solidity versions, changing some function arguments from memory to calldata may cause "unimplemented feature error". This can be avoided by using a newer (0.8.*) Solidity compiler.
2022-06-putty-main/contracts/src/PuttyV2.sol:593: function _transferERC20sIn(ERC20Asset[] memory assets, address from) internal { 2022-06-putty-main/contracts/src/PuttyV2.sol:610: function _transferERC721sIn(ERC721Asset[] memory assets, address from) internal {
None
Some parameters in examples given above are later hashed. It may be beneficial for those parameters to be in memory rather than calldata.
> 0 can be replaced with != 0 for gas optimization!= 0 is a cheaper operation compared to > 0, when dealing with uint.
2022-06-putty-main/contracts/src/PuttyV2.sol::293 => require(order.baseAsset.code.length > 0, "baseAsset is not contract"); 2022-06-putty-main/contracts/src/PuttyV2.sol::327 => if (weth == order.baseAsset && msg.value > 0) { 2022-06-putty-main/contracts/src/PuttyV2.sol::351 => if (weth == order.baseAsset && msg.value > 0) { 2022-06-putty-main/contracts/src/PuttyV2.sol::427 => if (weth == order.baseAsset && msg.value > 0) { 2022-06-putty-main/contracts/src/PuttyV2.sol::498 => if (fee > 0) { 2022-06-putty-main/contracts/src/PuttyV2.sol::598 => require(token.code.length > 0, "ERC20: Token is not contract"); 2022-06-putty-main/contracts/src/PuttyV2.sol::599 => require(tokenAmount > 0, "ERC20: Amount too small");
None
Consider to replace > 0 with != 0 for gas optimization.
Using newer compiler versions and the optimizer gives gas optimizations and additional safety checks are available for free.
All Contracts
Solidity 0.8.10 has a useful change which reduced gas costs of external calls which expect a return value: https://blog.soliditylang.org/2021/11/09/solidity-0.8.10-release-announcement/
Solidity 0.8.13 has some improvements too but not well tested.
Code Generator: Skip existence check for external contract if return data is expected. In this case, the ABI decoder will revert if the contract does not exist
All Contracts
None
Consider to upgrade pragma to at least 0.8.13.
The contracts assigns two constants to the result of a keccak operation, which results in gas waste since the expression is computed each time the constant is accessed.
See this issue for more context: ethereum/solidity#9232 (https://github.com/ethereum/solidity/issues/9232)
2022-06-putty-main/contracts/src/PuttyV2.sol::90 => keccak256(abi.encodePacked("ERC721Asset(address token,uint256 tokenId)")); 2022-06-putty-main/contracts/src/PuttyV2.sol::96 => keccak256(abi.encodePacked("ERC20Asset(address token,uint256 tokenAmount)")); 2022-06-putty-main/contracts/src/PuttyV2.sol::102 => keccak256( 2022-06-putty-main/contracts/src/PuttyV2.sol::700 => orderHash = keccak256( 2022-06-putty-main/contracts/src/PuttyV2.sol::712 => keccak256(abi.encodePacked(order.whitelist)), 2022-06-putty-main/contracts/src/PuttyV2.sol::713 => keccak256(abi.encodePacked(order.floorTokens)), 2022-06-putty-main/contracts/src/PuttyV2.sol::714 => keccak256(encodeERC20Assets(order.erc20Assets)), 2022-06-putty-main/contracts/src/PuttyV2.sol::715 => keccak256(encodeERC721Assets(order.erc721Assets)) 2022-06-putty-main/contracts/src/PuttyV2.sol::731 => keccak256(abi.encode(ERC20ASSET_TYPE_HASH, arr[i].token, arr[i].tokenAmount)) 2022-06-putty-main/contracts/src/PuttyV2.sol::745 => keccak256(abi.encode(ERC721ASSET_TYPE_HASH, arr[i].token, arr[i].tokenId))
None
Replace the constant directive with immutable, or assign the already hashed value to the constants.
++i is more gas efficient than i++ in loops forwarding.
2022-06-putty-main/contracts/src/PuttyV2.sol::556 => for (uint256 i = 0; i < orders.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::594 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::598 => require(token.code.length > 0, "ERC20: Token is not contract"); 2022-06-putty-main/contracts/src/PuttyV2.sol::611 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::627 => for (uint256 i = 0; i < floorTokens.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::637 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::647 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::658 => for (uint256 i = 0; i < floorTokens.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::670 => for (uint256 i = 0; i < whitelist.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::728 => for (uint256 i = 0; i < arr.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::742 => for (uint256 i = 0; i < arr.length; i++) {
Code Review
It is recommend to use unchecked{++i} and change i declaration to uint256.
Reading array length at each iteration of the loop takes 6 gas (3 for mload and 3 to place memory_offset) in the stack.
Caching the array length in the stack saves around 3 gas per iteration.
2022-06-putty-main/contracts/src/PuttyV2.sol::611 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::627 => for (uint256 i = 0; i < floorTokens.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::637 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::647 => for (uint256 i = 0; i < assets.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::658 => for (uint256 i = 0; i < floorTokens.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::670 => for (uint256 i = 0; i < whitelist.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::728 => for (uint256 i = 0; i < arr.length; i++) { 2022-06-putty-main/contracts/src/PuttyV2.sol::742 => for (uint256 i = 0; i < arr.length; i++) {
None
Consider to cache array length.