Back to horsefacts's contests

PoolTogether Aave v3 contest - horsefacts's results

A protocol for no loss prize savings on Ethereum.

General Information

Platform: Code4rena

Start Date: 29/04/2022

Pot Size: $22,000 USDC

Total HM: 6

Participants: 40

Period: 3 days

Judge: Justin Goro

Total Solo HM: 2

Id: 114

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 18/40

Findings: 1

Award: $162.91

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xf15ers, 0xkatana, 242, Dravee, GimelSec, MaratCerby, Tadashi, TrungOre, WatchPug, defsec, fatherOfBlocks, gzeon, hake, horsefacts, joestakey, miguelmtzinf, pauliax, pedroais, peritoflores, rotcivegaf, simon135, slywaters, tabish, throttle, z3s

Awards

162.9084 USDC - $162.91

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Unnecessary constructor call

The ReentrancyGuard base contract takes no constructor arguments and can be omitted as a modifier for constructor:

constructor(
    IAToken _aToken,
    IRewardsController _rewardsController,
    IPoolAddressesProviderRegistry _poolAddressesProviderRegistry,
    string memory _name,
    string memory _symbol,
    uint8 decimals_,
    address _owner
  ) Ownable(_owner) ERC20(_name, _symbol) ReentrancyGuard() { ... }

Recommendation:

constructor(
    IAToken _aToken,
    IRewardsController _rewardsController,
    IPoolAddressesProviderRegistry _poolAddressesProviderRegistry,
    string memory _name,
    string memory _symbol,
    uint8 decimals_,
    address _owner
  ) Ownable(_owner) ERC20(_name, _symbol) { ... }

balanceOfToken can be declared as a view

The balanceOfToken function is read-only and can be declared as a view.

AaveV3YieldSource.sol#L212:

 function balanceOfToken(address _user) external override returns (uint256) {
    return _sharesToToken(balanceOf(_user));
  }

Recommendation:

 function balanceOfToken(address _user) external view override returns (uint256) {
    return _sharesToToken(balanceOf(_user));
  }

Note that this also declared incorrectly in the IYieldSource interface.

Unnecessary usage of SafeMath library

Solidity 0.8.0 introduced checked arithmetic by default, so the SafeMath library may safely be omitted.

Typo in natspec comment

inhereted should read inherited in the natspec comment on line 38.

#0 - PierrickGT

2022-05-04T20:02:50Z

Unnecessary constructor call

This is false, the constructor from ReentrancyGuard sets _status = _NOT_ENTERED; That being said, the ReentrancyGuard would still work properly since the default value of _status is 0, so different from 2. As a best practice, it is best to initialize it.

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/security/ReentrancyGuard.sol#L40 https://github.com/OpenZeppelin/openzeppelin-contracts/blob/14ca3aeb798d9b9be31df86ae7ef8b8f760caa4c/contracts/security/ReentrancyGuard.sol#L52

balanceOfToken can be declared as a view

Not possible since we inherit from the yield source interface.

Unnecessary usage of SafeMath library

Duplicate of: https://github.com/code-423n4/2022-04-pooltogether-findings/issues/11

Typo in natspec comment

Duplicate of: https://github.com/code-423n4/2022-04-pooltogether-findings/issues/22

#1 - gititGoro

2022-05-16T04:43:11Z

Given the sponsor feedback, this is mostly a Gas optimization issue and has been relabelled.

#2 - gititGoro

2022-05-20T23:09:38Z

Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/98

#3 - JeeberC4

2022-05-23T16:31:43Z

Changing name to better reflect the judging outcome.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter