Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $75,000 USDC
Total HM: 6
Participants: 55
Period: 7 days
Judge: Albert Chon
Total Solo HM: 2
Id: 116
League: COSMOS
Rank: 32/55
Findings: 2
Award: $181.78
π Selected for report: 0
π Solo Findings: 0
π Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0xDjango, 0xkatana, AmitN, CertoraInc, Dravee, Funen, GermanKuber, GimelSec, Hawkeye, JC, MaratCerby, WatchPug, Waze, broccolirob, cccz, ch13fd357r0y3r, cryptphi, danb, defsec, delfin454000, dipp, dirk_y, ellahi, gzeon, hake, hubble, ilan, jah, jayjonah8, kebabsec, kirk-baird, m9800, orion, oyc_109, robee, shenwilly, simon135, sorrynotsorry
113.6286 USDC - $113.63
A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up checking a different EVM compilation that is ultimately deployed on the blockchain.
CosmosToken.sol::1 => pragma solidity ^0.6.6; Gravity.sol::1 => pragma solidity ^0.6.6;
Avoid floating pragmas for non-library contracts. It is recommended to pin to a concrete compiler version.
Make sure to get rid of test functions before deployment.
CosmosToken.sol::140 => function testMakeCheckpoint(ValsetArgs memory _valsetArgs, bytes32 _gravityId) public pure { CosmosToken.sol::144 => function testCheckValidatorSignatures(
manual, slither
π Selected for report: GermanKuber
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xf15ers, 0xkatana, AlleyCat, CertoraInc, Dravee, Funen, GimelSec, IllIllI, JC, MaratCerby, WatchPug, Waze, defsec, delfin454000, ellahi, gzeon, hake, hansfriese, ilan, jonatascm, nahnah, oyc_109, peritoflores, rfa, robee, simon135, slywaters, sorrynotsorry
68.1519 USDC - $68.15
Reading array length at each iteration of the loop takes 6 gas (3 for mload and 3 to place memory_offset) in the stack. Caching the array length in the stack saves around 3 gas per iteration.
Gravity.sol::128 => for (uint256 i = 0; i < _users.length; i++) { Gravity.sol::233 => for (uint256 i = 0; i < _currentValidators.length; i++) { Gravity.sol::263 => for (uint256 i = 0; i < _newValset.validators.length; i++) { Gravity.sol::453 => for (uint256 i = 0; i < _amounts.length; i++) { Gravity.sol::568 => for (uint256 i = 0; i < _args.transferAmounts.length; i++) { Gravity.sol::579 => for (uint256 i = 0; i < _args.feeAmounts.length; i++) { Gravity.sol::660 => for (uint256 i = 0; i < _powers.length; i++) {
Store the arrayβs length in a variable before the for-loop.
!= 0 instead of > 0 for Unsigned Integer Comparison in require statements.!= 0 is cheapear than > 0 when comparing unsigned integers in require statements.
Use != 0 instead of > 0.
Shortening revert strings to fit in 32 bytes will decrease deployment time gas and will decrease runtime gas when the revert condition is met. Revert strings that are longer than 32 bytes require at least one additional mstore, along with additional overhead for computing memory offset, etc.
Gravity.sol::119 => "The caller is not whitelisted for this operation" Gravity.sol::240 => "Validator signature does not match." Gravity.sol::256 => "Submitted validator set signatures do not have enough power." Gravity.sol::291 => "New valset nonce must be greater than the current nonce" Gravity.sol::312 => "Supplied current validators and powers do not match checkpoint." Gravity.sol::317 => "The sender of the transaction is not validated orchestrator" Gravity.sol::386 => "New batch nonce must be greater than the current nonce" Gravity.sol::392 => "Batch timeout must be greater than the current block height" Gravity.sol::407 => "Supplied current validators and powers do not match checkpoint." Gravity.sol::418 => "The sender of the transaction is not validated orchestrator" Gravity.sol::496 => "New invalidation nonce must be greater than the current nonce" Gravity.sol::511 => "Supplied current validators and powers do not match checkpoint." Gravity.sol::517 => "Malformed list of token transfers" Gravity.sol::527 => "The sender of the transaction is not validated orchestrator" Gravity.sol::655 => require(address(_cudosAccessControls) != address(0), "Access control contract address is incorrect"); Gravity.sol::668 => "Submitted validator set signatures do not have enough power."
Shorten the revert strings to fit in 32 bytes.
public Functions can be external.public functions that are never called by the contract should be declared external to save gas.
manageWhitelist(address[],bool) should be declared external: - Gravity.manageWhitelist(address[],bool) (contracts/Gravity.sol#124-136) testMakeCheckpoint(ValsetArgs,bytes32) should be declared external: - Gravity.testMakeCheckpoint(ValsetArgs,bytes32) (contracts/Gravity.sol#140-142) testCheckValidatorSignatures(address[],uint256[],uint8[],bytes32[],bytes32[],bytes32,uint256) should be declared external: - Gravity.testCheckValidatorSignatures(address[],uint256[],uint8[],bytes32[],bytes32[],bytes32,uint256) (contracts/Gravity.sol#144-162) lastBatchNonce(address) should be declared external: - Gravity.lastBatchNonce(address) (contracts/Gravity.sol#166-168) lastLogicCallNonce(bytes32) should be declared external: - Gravity.lastLogicCallNonce(bytes32) (contracts/Gravity.sol#170-172) updateValset(ValsetArgs,ValsetArgs,uint8[],bytes32[],bytes32[]) should be declared external: - Gravity.updateValset(ValsetArgs,ValsetArgs,uint8[],bytes32[],bytes32[]) (contracts/Gravity.sol#276-358) submitBatch(ValsetArgs,uint8[],bytes32[],bytes32[],uint256[],address[],uint256[],uint256,address,uint256) should be declared external: - Gravity.submitBatch(ValsetArgs,uint8[],bytes32[],bytes32[],uint256[],address[],uint256[],uint256,address,uint256) (contracts/Gravity.sol#364-468) sendToCosmos(address,bytes32,uint256) should be declared external: - Gravity.sendToCosmos(address,bytes32,uint256) (contracts/Gravity.sol#595-609) deployERC20(string,string,string,uint8) should be declared external: - Gravity.deployERC20(string,string,string,uint8) (contracts/Gravity.sol#611-630)
Declare visibility of functions above as external.
If a variable is not set/initialized, it is assumed to have the default value (0, false, 0x0 etc depending on the data type). Explicitly initializing it with its default value is an anti-pattern and wastes gas.
Gravity.sol::128 => for (uint256 i = 0; i < _users.length; i++) { Gravity.sol::231 => uint256 cumulativePower = 0; Gravity.sol::233 => for (uint256 i = 0; i < _currentValidators.length; i++) { Gravity.sol::263 => for (uint256 i = 0; i < _newValset.validators.length; i++) { Gravity.sol::453 => for (uint256 i = 0; i < _amounts.length; i++) { Gravity.sol::568 => for (uint256 i = 0; i < _args.transferAmounts.length; i++) { Gravity.sol::579 => for (uint256 i = 0; i < _args.feeAmounts.length; i++) { Gravity.sol::659 => uint256 cumulativePower = 0; Gravity.sol::660 => for (uint256 i = 0; i < _powers.length; i++) {
Remove explicit zero initialization.
++i costs less gas compared to i++ or i += 1++i costs less gas compared to i++ or i += 1 for unsigned integer, as pre-increment is cheaper (about 5 gas per iteration). This statement is true even with the optimizer enabled.
Gravity.sol::128 => for (uint256 i = 0; i < _users.length; i++) { Gravity.sol::233 => for (uint256 i = 0; i < _currentValidators.length; i++) { Gravity.sol::263 => for (uint256 i = 0; i < _newValset.validators.length; i++) { Gravity.sol::453 => for (uint256 i = 0; i < _amounts.length; i++) { Gravity.sol::568 => for (uint256 i = 0; i < _args.transferAmounts.length; i++) { Gravity.sol::579 => for (uint256 i = 0; i < _args.feeAmounts.length; i++) { Gravity.sol::660 => for (uint256 i = 0; i < _powers.length; i++) {
Use ++i instead of i++ to increment the value of an uint variable.
Same thing for --i and i--.
constantConstant state variables should be declared constant to save gas.
CosmosToken.sol::5 => uint256 MAX_UINT = 2**256 - 1; // @audit make constant, saves gas.
Add the constant attributes to state variables that never change.
c4udit, manual, slither