Platform: Code4rena
Start Date: 21/04/2022
Pot Size: $100,000 USDC
Total HM: 18
Participants: 60
Period: 7 days
Judge: gzeon
Total Solo HM: 10
Id: 112
League: ETH
Rank: 9/60
Findings: 3
Award: $1,985.71
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: fatherOfBlocks
Also found by: shenwilly
1737.0523 USDC - $1,737.05
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/strategies/StrategySwapper.sol#L38-L43 https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/strategies/StrategySwapper.sol#L109-L114
in the setSlippageTolerance(L119) method you have certain requirements to set slippageTolerance, but in the constructor you don't.
I would add the corresponding validations to the constructor
#0 - chase-manning
2022-05-11T14:58:21Z
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x52, 0xDjango, 0xkatana, Dravee, Funen, Kenshin, Ruhum, StyxRave, Tadashi, TerrierLover, TrungOre, antonttc, berndartmueller, catchup, csanuragjain, defsec, dipp, fatherOfBlocks, hake, horsefacts, hubble, jayjonah8, joestakey, kebabsec, kenta, m4rio_eth, oyc_109, pauliax, peritoflores, rayn, remora, robee, securerodd, simon135, sorrynotsorry, sseefried, z3s
159.3125 USDC - $159.31
contracts/pool/LiquidityPool.sol
contracts/strategies/ConvexStrategyBase.sol
🌟 Selected for report: joestakey
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xkatana, 0xmint, Dravee, Funen, IllIllI, MaratCerby, NoamYakov, Tadashi, TerrierLover, Tomio, WatchPug, catchup, defsec, fatherOfBlocks, hake, horsefacts, kenta, oyc_109, pauliax, rayn, rfa, robee, saian, securerodd, simon135, slywaters, sorrynotsorry, tin537, z3s
89.3504 USDC - $89.35
contracts/CvxCrvRewardsLocker.sol
L161 - GO - In the withdraw() function, the "balance" variable is only used in one place, it could simply be called on the line it is used.
L231 - GO - In the unstakeCvxCrv() function, the "staked" variable is only used in one place, it could simply be called on the line it is used.
contracts/GasBank.sol
contracts/Controller.sol
contracts/StakerVault.sol
L185 - GO - It wastes less gas if instead of creating a msg.sender variable, you simply use msg.sender in _allowances[msg.sender][] and in the event that is emitted.
L231 - GO - can be wrapped with unckecked, since the if validates that there is no underflow.
L331 - GO - oldBal is only used in one place, it could simply be called on the line that is used
contracts/pool/LiquidityPool.sol
L446 - GO - can be wrapped with unckecked, since lpBalance_ < redeemLpTokens validates that there is no underflow.
L556 - GO - can be wrapped with unckecked, redeemLpTokens - withdrawalFee can be invalid since to obtain the withdrawalFee it is a percentage of what you want to redeem.
L633 - GO - In the totalUnderlying() function it is better not to create a variable in memory for _getBalanceUnderlying(), just execute it in the two returns L637 and 640.
L748.751.753 - GO - the operation that ends by setting the variable in memory requiredDeposits. could be unckecked by the validations that were performed in the if.
contracts/actions/topup/TopUpKeeperHelper.sol
L43.46.72.93.165 - GO - for i++ unckecked
L164 - GO - if shortened is defined in the returns of the signature and push is used to add elements, the gas cost drops by 30.