Platform: Code4rena
Start Date: 15/06/2022
Pot Size: $35,000 USDC
Total HM: 1
Participants: 36
Period: 3 days
Judge: Jack the Pug
Total Solo HM: 1
Id: 137
League: ETH
Rank: 12/36
Findings: 2
Award: $118.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xNazgul
Also found by: 0xDjango, 0xFar5eer, 0xf15ers, BowTiedWardens, Chom, Dravee, IllIllI, Meera, MiloTruck, PierrickGT, TerrierLover, _Adam, cccz, codexploder, cryptphi, delfin454000, fatherOfBlocks, hansfriese, joestakey, oyc_109, simon135
81.8216 USDC - $81.82
Typos
The same typo (withdrawed) occurs in all five lines referenced below:
Example:
/// @dev Fees when funds are withdrawed
Change withdrawed to withdrawn in all cases
/// @return Token transfered (in case of ETH)
Change transfered to transferred
/// @dev True if the owner is setted
Change setted to set
The same typo (liquitiy) occurs in all four lines referenced below:
Example:
/// @param pool The Curve pool to add liquitiy in
Change liquitiy to liquidity in each case
The same typo (orders) occurs in both lines referenced below:
/// @dev For every orders, call the operator with the calldata
Change orders to order in both cases
The same typo (store) occurs in both lines referenced below:
/// @param _toReserve True if the output is store in the reserve/records (portfolio), false if not.
Change store to stored in both cases
/// @dev Call the operator to submit the order but dont stop if the call to the operator fail.
Change fail to fails
/// @notice Resolve the operators address
For clarity, either replace the operators with operator or else use the actual variable name
/// @dev sets the allowance for a token to the maximum if it is not already at max
For clarity and consistency, capitalize sets
The same typo (token) occurs in all six lines referenced below:
Example:
/// @param token One of the paired token
Change token to tokens in each case
The same typo (needs) occurs in both lines referenced below:
// LP Tokens needs to be sent back to the pair address to be burned
Change needs to need in both cases
The same typo (allows to add) occurs in both lines referenced below:
/// This allows to add as many tokensA and tokensB as possible
Change allows to add to allows us to add in both cases
#0 - Yashiru
2022-06-24T14:01:59Z
Quality assurance confirmed.
Missing occurances:
change datas to data found in #61change dont to don't found in #61change datas to data found in #11change datas to data found in #11change datas to data found in #11change datas to data found in #11change datas to data found in #11🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0xKitsune, 0xNazgul, 0xkatana, Chom, ElKu, JC, Meera, MiloTruck, Picodes, PierrickGT, SooYa, TerrierLover, UnusualTurtle, Waze, _Adam, asutorufos, c3phas, delfin454000, fatherOfBlocks, joestakey, minhquanym, oyc_109, robee, sach1r0, simon135
36.189 USDC - $36.19
Issue: Require message is too long
Explanation: The require revert strings below can be shortened to 32 characters or fewer (as shown) to save gas
All four lines referenced below incorporate the same long require() string:
Example:
require(targets.length == values.length, "TimelockController: length mismatch");
Change message to TimelockController: len mismatch in each case
require(!isOperation(id), "TimelockController: operation already scheduled");
Change message to TimelockController: op alr sched
require(delay >= getMinDelay(), "TimelockController: insufficient delay");
Change message to TimelockController: insuf delay
require(isOperationPending(id), "TimelockController: operation cannot be cancelled");
Change message to TimelockController: can't cxl op
Both lines referenced below incorporate the same long require() string:
require(isOperationReady(id), "TimelockController: operation is not ready");
Change message to TimelockController: op not ready
require(predecessor == bytes32(0) || isOperationDone(predecessor), "TimelockController: missing dependency");
Change message to TimelockController:no dependency
require(success, "TimelockController: underlying transaction reverted");
Not clear how to shorten message
require(msg.sender == address(this), "TimelockController: caller must be timelock");
Not clear how to shorten message
Issue: Use of '&&' within a require function
Explanation: Splitting such require() statements into separate requires saves gas
require( address(_nestedAsset) != address(0) && address(_nestedRecords) != address(0) && address(_reserve) != address(0) && address(_feeSplitter) != address(0) && address(_weth) != address(0) && _operatorResolver != address(0), "NF: INVALID_ADDRESS" );
Recommendation:
require(address(_nestedAsset) != address(0), "NF: INVALID_ADDRESS"); require(address(_nestedRecords) != address(0), "NF: INVALID_ADDRESS"); require(address(_reserve) != address(0), "NF: INVALID_ADDRESS"); require(address(_feeSplitter) != address(0), "NF: INVALID_ADDRESS"); require(address(_weth) != address(0), "NF: INVALID_ADDRESS"); require( _operatorResolver != address(0), "NF: INVALID_ADDRESS");
require(vaultAmount != 0 && vaultAmount >= minVaultAmount, "BVO: INVALID_AMOUNT_RECEIVED");
Recommendation:
require(vaultAmount != 0, "BVO: INVALID_AMOUNT_RECEIVED"); require(vaultAmount >= minVaultAmount, "BVO: INVALID_AMOUNT_RECEIVED");
Similarly for the following require statements:
require(vaultAmount != 0 && vaultAmount >= minVaultAmount, "BLVO: INVALID_AMOUNT_RECEIVED");
require(depositedAmount != 0 && amountToDeposit >= depositedAmount, "BLVO: INVALID_AMOUNT_DEPOSITED");
require(vaultAmount != 0 && vaultAmount >= minVaultAmount, "BLVO: INVALID_AMOUNT_RECEIVED");
require(depositedAmount != 0 && amountToDeposit >= depositedAmount, "BLVO: INVALID_AMOUNT_DEPOSITED");
require(_tokenTransferProxy != address(0) && _augustusSwapper != address(0), "PSO: INVALID_ADDRESS");
#0 - obatirou
2022-06-24T15:09:59Z
https://github.com/code-423n4/2022-06-nested-findings/issues/62#issuecomment-1165547704
#1 - obatirou
2022-06-24T15:48:22Z
https://github.com/code-423n4/2022-06-nested-findings/issues/29#issuecomment-1165702145