Platform: Code4rena
Start Date: 19/04/2022
Pot Size: $30,000 USDC
Total HM: 10
Participants: 43
Period: 3 days
Judges: moose-code, JasoonS
Total Solo HM: 7
Id: 90
League: ETH
Rank: 20/43
Findings: 2
Award: $107.39
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0xDjango, 0xkatana, Dravee, Kenshin, Tadashi, TerrierLover, abhinavmir, defsec, ellahi, fatima_naz, foobar, gzeon, hyh, joestakey, kebabsec, kenta, minhquanym, oyc_109, rayn, robee, sseefried, xpriment626, z3s
76.0103 USDC - $76.01
ManagedIndex.initializehttps://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/ManagedIndex.sol#L27
Duplicate asset can be defined in ManagedIndex.initialize, which only the last entry would be effective
Consider to pin Solidity version to latest 0.8.12
ManagedIndex.initializehttps://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/ManagedIndex.sol#L27
_assets and _weights might not be same length, both arrays may have 0 value
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0xDjango, 0xNazgul, 0xkatana, Dravee, Kenshin, MaratCerby, Tadashi, TerrierLover, Tomio, TrungOre, defsec, ellahi, fatherOfBlocks, fatima_naz, gzeon, joestakey, kenta, minhquanym, oyc_109, rayn, rfa, robee, simon135, slywaters, windhustler, z3s
31.3783 USDC - $31.38
> 0 is less efficient than != 0 for uint in require conditionRef: https://twitter.com/GalloDaSballo/status/1485430908165443590
contracts/libraries/NAV.sol:49: require(shares > 0, "NAV: INSUFFICIENT_AMOUNT"); contracts/libraries/NAV.sol:59: require(amount > 0, "NAV: INSUFFICIENT_SHARES_BURNED"); contracts/libraries/IndexLibrary.sol:29: require(_assetPerBaseInUQ > 0, "IndexLibrary: ORACLE"); contracts/libraries/FullMath.sol:35: require(denominator > 0); contracts/IndexLogic.sol:76: require(lastAssetBalanceInBase > 0, "Index: INSUFFICIENT_AMOUNT"); contracts/IndexLogic.sol:98: require(value > 0, "Index: INSUFFICIENT_AMOUNT"); contracts/ChainlinkPriceOracle.sol:86: require(basePrice > 0 && quotePrice > 0, "ChainlinkPriceOracle: NEGATIVE");
We can use the following function to save gas on float multiplications
// out = x * y unchecked{/} z function fmul(uint256 x, uint256 y, uint256 z) internal pure returns(uint256 out){ assembly{ if iszero(eq(div(mul(x,y),x),y)) {revert(0,0)} out := div(mul(x,y),z) } }
./contracts/libraries/IndexLibrary.sol:31: return ((_amountInBase * _weight) / MAX_WEIGHT).mulDiv(_assetPerBaseInUQ, FixedPoint112.Q112);
Solidity ^0.8.4 allow the use of custom errors to optimize gas usage. https://blog.soliditylang.org/2021/04/21/custom-errors/