Platform: Code4rena
Start Date: 27/05/2022
Pot Size: $75,000 USDC
Total HM: 20
Participants: 58
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 15
Id: 131
League: ETH
Rank: 29/58
Findings: 2
Award: $171.81
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xNazgul, 0xf15ers, BowTiedWardens, Chom, Funen, Kaiziron, Kumpa, MiloTruck, Picodes, Ruhum, SecureZeroX, Sm4rty, SmartSek, StyxRave, WatchPug, Waze, asutorufos, bardamu, berndartmueller, c3phas, catchup, cccz, codexploder, cryptphi, defsec, delfin454000, dipp, fatherOfBlocks, gzeon, hake, hansfriese, hyh, masterchief, oyc_109, sach1r0, sashik_eth, shenwilly, simon135, unforgiven
113.8755 USDC - $113.88
Some token return void in approve and will revert if the IERC20 interface is used. Consider using OZ's safeApprove https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/VestedEscrow.sol#L25-L26
IERC20(rewardToken_).approve(msg.sender, type(uint256).max);
WETH address might change if deployed on L2 https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/FeeBurner.sol#L25-L26
address private constant _WETH = address(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2); // WETH
#0 - GalloDaSballo
2022-06-21T00:20:08Z
Finding is valid, although constructor would fail, would re-contextualize as "you forgot to use safeApprove here"
Finding has merit as non-critical, as hardcoded is always cheap for gas
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, Chom, Dravee, Fitraldys, Funen, Kaiziron, MiloTruck, Picodes, Randyyy, RoiEvenHaim, SecureZeroX, Sm4rty, SmartSek, StyxRave, Tadashi, Tomio, Waze, asutorufos, berndartmueller, c3phas, catchup, csanuragjain, defsec, delfin454000, djxploit, fatherOfBlocks, gzeon, hake, hansfriese, oyc_109, robee, sach1r0, sashik_eth, scaraven, simon135
57.93 USDC - $57.93
> 0 is less efficient than != 0 for uint in require conditionRef: https://twitter.com/GalloDaSballo/status/1485430908165443590
protocol/contracts/tokenomics/AmmConvexGauge.sol:158: require(amount > 0, Error.INVALID_AMOUNT); protocol/contracts/tokenomics/AmmConvexGauge.sol:171: require(amount > 0, Error.INVALID_AMOUNT); protocol/contracts/tokenomics/VestedEscrow.sol:84: require(unallocatedSupply > 0, "No reward tokens in contract"); protocol/contracts/tokenomics/KeeperGauge.sol:140: require(totalClaimable > 0, Error.ZERO_TRANSFER_NOT_ALLOWED); protocol/contracts/tokenomics/AmmGauge.sol:104: require(amount > 0, Error.INVALID_AMOUNT); protocol/contracts/tokenomics/AmmGauge.sol:125: require(amount > 0, Error.INVALID_AMOUNT);
We can use the following function to save gas on float multiplications
// out = x * y unchecked{/} z function fmul(uint256 x, uint256 y, uint256 z) internal pure returns(uint256 out){ assembly{ if iszero(eq(div(mul(x,y),x),y)) {revert(0,0)} out := div(mul(x,y),z) } }
return Math.min((locked * elapsed) / totalTime, locked);
#0 - GalloDaSballo
2022-06-18T00:18:35Z
I gave 3 gas for all reports so will keep consistent 6 * 3 = 18
From my tests you can just use unchecked, also please always add gas saved Will give it 40 gas as it's 2 * 20
Total Gas Saved 58