Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 85/147
Findings: 2
Award: $86.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: zzzitron
Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas
54.3143 DAI - $54.31
// Cache numbe of observations to save gas.
Change numbe to number
The same typo (deactive) occurs in both lines referenced below:
/// If wall is down after swap, deactive the cushion as well
Change deactive to deactivate in both cases
In theory, comments over 79 characters should wrap using multi-line comment syntax. Even if somewhat longer comments are acceptable and a scroll bar is provided, very long comments can interfere with readability. Some of the long comments in Olympus do wrap (e.g., PRICE.sol: L237-239) — the treatment of very long comments is inconsistent and should be made consistent. Below is an example of a line that should wrap:
/// @dev Price feeds. Chainlink typically provides price feeds for an asset in ETH. Therefore, we use two price feeds against ETH, one for OHM and one for the Reserve asset, to calculate the relative price of OHM in the Reserve asset.
Suggestion:
/// @dev Price feeds. Chainlink typically provides price feeds for an asset in ETH. /// Therefore, we use two price feeds against ETH — one for OHM and one for the /// Reserve asset — to calculate the relative price of OHM in the Reserve asset.
Similarly for the following 10 examples:
Comments that contain TODOs or other language referring to open items should be addressed and modified or removed. Below are two instances:
// Anyone can call to revoke a deactivated policy's approvals. // TODO Currently allows anyone to revoke any approval EXCEPT activated policies. // TODO must reorg policy storage to be able to check for deactivated policies. function revokePolicyApprovals(address policy_, ERC20[] memory tokens_) external { if (Policy(policy_).isActive()) revert PolicyStillActive(); // TODO Make sure `policy_` is an actual policy and not a random address.
/// Get latest price /// TODO determine if this should use the last price from the MA or recalculate the current price, ideally last price is ok since it should have been just updated and should include check against secondary? /// Current price is guaranteed to be up to date, but may be a bad value if not checked? uint256 currentPrice = PRICE.getLastPrice();
Terms incorporating "black," "white," "slave" or "master" are potentially problematic. Substituting more neutral terminology is becoming common practice. Example:
/// Whitelist the bond market on the callback callback.whitelist(address(auctioneer.getTeller()), market);
Suggestion: Change whitelist to 'allowlist`
Similarly for the following six instances (change whitelisted to allowlisted where it occurs):
for loopsSome for loop counters in the contracts are initiated to zero (uint256 i = 0;) whereas others are not (uint256 i;). It is not necessary to initialize for loop counters to zero since this is their default value. For consistency, it makes sense to omit such initializations in the for loops below:
🌟 Selected for report: pfapostol
Also found by: 0x040, 0x1f8b, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSmartContract, 0xkatana, Amithuddar, Aymen0909, Bnke0x0, CertoraInc, Chandr, CodingNameKiki, Deivitto, Dionysus, Diraco, ElKu, Fitraldys, Funen, GalloDaSballo, Guardian, IllIllI, JC, JansenC, Jeiwan, LeoS, Metatron, Noah3o6, RaymondFam, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, Ruhum, Saintcode_, Shishigami, Sm4rty, SooYa, StevenL, Tagir2003, The_GUILD, TomJ, Tomo, Waze, __141345__, ajtra, apostle0x01, aviggiano, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch0bu, chrisdior4, d3e4, delfin454000, djxploit, durianSausage, erictee, exolorkistis, fatherOfBlocks, gogo, grGred, hyh, ignacio, jag, karanctf, kris, ladboy233, lukris02, m_Rassska, martin, medikko, natzuu, ne0n, newfork01, oyc_109, peiw, rbserver, ret2basic, robee, rokinot, rvierdiiev, sikorico, simon135, tnevler, zishansami
32.5835 DAI - $32.58
for loopSince calculating the array length costs gas, it's best to read the length of the array from memory before executing the loop.
for (uint256 step; step < instructions.length; ) { kernel.executeAction(instructions[step].action, instructions[step].target); unchecked { ++step; } }
Suggestion:
uint256 instructLength = instructions.length; for (uint256 step; step < instructLength; ) { kernel.executeAction(instructions[step].action, instructions[step].target); unchecked { ++step; } }
++i instead of i++ to increase count in a for loopSince use of i++ (or equivalent counter) costs more gas, it is better to use ++i
for (uint256 i = 0; i < 5; ) { bytes1 char = unwrapped[i]; if (char < 0x41 || char > 0x5A) revert InvalidKeycode(keycode_); // A-Z only unchecked { i++; } }
Suggestion:
for (uint256 i = 0; i < 5; ) { bytes1 char = unwrapped[i]; if (char < 0x41 || char > 0x5A) revert InvalidKeycode(keycode_); // A-Z only unchecked { ++i; } }
Similarly for the following for loop: