Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $55,000 USDC
Total HM: 29
Participants: 88
Period: 5 days
Judge: gzeon
Total Solo HM: 7
Id: 134
League: ETH
Rank: 50/88
Findings: 2
Award: $128.88
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: defsec
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkowloon, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, GimelSec, IllIllI, JC, Kenshin, Kulk0, Lambda, Limbooo, MadWookie, Metatron, Picodes, Soosh, StErMi, TomJ, WatchPug, Waze, Yiko, _Adam, ak1, asutorufos, aysha, bardamu, catchup, datapunk, delfin454000, dipp, fatherOfBlocks, grGred, hake, hansfriese, hyh, joestakey, kebabsec, kenzo, kirk-baird, oyc_109, pashov, poirots, rfa, robee, saian, sashik_eth, shenwilly, simon135, slywaters, z3s, zeesaw, zer0dot
65.8003 USDC - $65.80
MarketPlace.sol
L5 - Interfaces.sol is imported and within it there are multiple interfaces that are not used, only the used ones should be imported.
L98 - The inputs in the function setPrincial() are passed in an order (p,u,m,a) but it is used in the following order: (u,m,p,a), therefore it would be better to use it in that order.
In general, all functions define their inputs with letters, this is a bad practice since it is difficult to understand from the code what it really wants to do, this is an anti-pattern.
L157/172 - pool.base() returns an IERC20, so it doesn't make sense to do this wrapper: IERC20(address(pool.base())).
ERC5095.sol
L22/23/24/25 - In the constructor the immutable storage variables are set but it is not validated that it is != 0, this is important, since it would generate a DoS in most of the functions.
L5 - Interfaces.sol is imported and within it there are multiple interfaces that are not used, only the used ones should be imported.
Redeemer.sol
L5 - Interfaces.sol is imported and within it there are multiple interfaces that are not used, only the used ones should be imported.
In general, all functions define their inputs with letters, this is a bad practice since it is difficult to understand from the code what it really wants to do, this is an anti-pattern.
L51/52/53/54/55/56 - In the constructor the immutable storage variables are set but it is not validated that it is != 0, this is important, since it would generate a DoS in most of the functions.
L107/158/206/240 - The inputs in the redeem() function are passed in an order (p,u,m,o), (p,u,m), (p,u,m,i), (p,u,m,d,o) but is used in the following order: (u,m,p,o) (u,m,p) (u,m,p,i) (u,m,p ,d,o) so it would be better to use it in that order.
Lender.sol
L167/473 - The inputs in the mint(), lend() functions are passed in an order (p,u,m,a), (p,u,m,a,r,x,s) but it is used in the following order: (u,m,p,a), (u,m,p,s,x,a,r) so it would be better to use them in that order.
In general, all functions define their inputs with letters, this is a bad practice since it is difficult to understand from the code what it really wants to do, this is an anti-pattern.
L5 - Interfaces.sol is imported and within it there are multiple interfaces that are not used, only the used ones should be imported.
L707 - It is preferable that the function directly returns an IERC5095, instead of an address since it is always used that way, this would save that in each function that is used, they must define what an IERC5095 is.
🌟 Selected for report: BowTiedWardens
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xkowloon, Bnke0x0, ElKu, Fitraldys, Funen, GalloDaSballo, IllIllI, JC, Kaiziron, Lambda, MadWookie, Noah3o6, Nyamcil, RoiEvenHaim, TomJ, Tomio, UnusualTurtle, Waze, _Adam, ajtra, asutorufos, bardamu, c3phas, catchup, datapunk, defsec, delfin454000, fatherOfBlocks, grGred, hake, hansfriese, hyh, ignacio, joestakey, kebabsec, ladboy233, oyc_109, pashov, poirots, rfa, robee, sach1r0, samruna, sashik_eth, simon135, slywaters, z3s, zer0dot
63.0781 USDC - $63.08
MarketPlace.sol
L247 - Instead of using a modifier you can save gas using private view functions.
L80/83/86 - A variable does not need to be created in memory if it is only to be used once.
ERC5095.sol
Redeemer.sol
L300 - Instead of using a modifier you can save gas using private view functions.
L118/134 - A variable does not need to be created in memory if it is only to be used once.
Lender.sol
L96/120/283 - Instead of i++, less cost is generated by doing ++i;
L265/340/341 - It is not necessary to set a variable with its default value, this generates more gas cost.
L265 - Instead of traversing o.length in the for statement, it is less expensive to create a local length variable and use it.
L174/176/441/444/585/587 - A variable does not need to be created in memory if it is only to be used once.
L219/229/280/347/400/452/502/557/605 - The operation a - fee can be unchecked since fee will always be smaller than a. This is because fee is obtained from calculateFee(a).
L662 - It is less expensive to make variable != 0 than variable > 0.
L698 - Instead of making the transfer to admin and having to consult a variable in storage, it could be directly transferred to msg.sender, in this way gas would be saved. We know that it can only be sent to msg.sender by this authorized modifier(admin), in the withdraw() function.
L722/731 - Instead of using a modifier you can save gas using private view functions.