PoolTogether micro contest #1 - hrkrshnn's results

A protocol for no loss prize savings on Ethereum

General Information

Platform: Code4rena

Start Date: 29/07/2021

Pot Size: $20,000 USDC

Total HM: 8

Participants: 12

Period: 3 days

Judge: LSDan

Total Solo HM: 2

Id: 24

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 10/12

Findings: 2

Award: $354.78

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PoolTogether

Findings Information

🌟 Selected for report: maplesyrup

Also found by: 0xRajeev, hickuphh3, hrkrshnn

Labels

bug

duplicate

0 (Non-critical)

mStableYieldSource

Awards

26.3992 USDC - $26.40

External Links

Link to GitHub issue

Handle

hrkrshnn

Vulnerability details

Function that can be made external

MStableYieldSource.sol

function approveMax() public
function depositToken() public

The above two functions can be converted to external.

#0 - PierrickGT
2021-08-06T16:51:45Z

Duplicate of https://github.com/code-423n4/2021-07-pooltogether-findings/issues/10

Findings Information

🌟 Selected for report: hickuphh3

Also found by: hrkrshnn

Labels

bug

duplicate

G (Gas Optimization)

SwappableYieldSource

sponsor disputed

Awards

90.5323 USDC - $90.53

External Links

Link to GitHub issue

Handle

hrkrshnn

Vulnerability details

Consider shortening revert strings

Several revert strings in SwappableYieldSource.sol are more than 32 bytes. Try to keep everything below 32 bytes. Even better would be replacing it with Solidity's custom errors from 0.8.4.

Example:

  function transferERC20(IERC20Upgradeable erc20Token, address to, uint256 amount) external onlyOwnerOrAssetManager returns (bool) {
    require(address(erc20Token) != address(yieldSource), "SwappableYieldSource/yield-source-token-transfer-not-allowed");
    ...
}

The above string is 60 characters. Everything above 32 characters would need an additional mstore. This would incur a cost for an additional mstore, cost for memory expansion, as well as additional stack operation costs. This is only relevant when the revert condition is met.

Shortening would also reduce the deploy cost for the contract in all cases.

If possible, it's recommended to change this to:

pragma solidity ^0.8.4;

/// A long NatSpec comment explaning this in detail, without costing on chain gas.
error YieldSourceTokenTransferNotAllowed();

function transferERC20(IERC20Upgradeable erc20Token, address to, uint256 amount) external onlyOwnerOrAssetManager returns (bool) {
    if (address(erc20Token) == address(yieldSource))
        revert YieldSourceTokenTransferNotAllowed();
    ...
 }

The above change will also decrease gas.

There are several other instances where large revert strings are used. All of them can be shortened / replaced.

#0 - PierrickGT
2021-08-11T23:42:19Z

This feature is only available for Solidity version 0.8.4, we are using version 0.7.6 in the swappable yield source and 0.8.2 in the mStable yield source.

#1 - 0xean
2021-08-24T17:37:09Z

duplicate of #27

#2 - PierrickGT
2021-08-30T15:42:42Z

Closing as this issue is a duplicate.

Findings Information

🌟 Selected for report: hrkrshnn

Labels

bug

G (Gas Optimization)

mStableYieldSource

sponsor confirmed

Awards

201.183 USDC - $201.18

External Links

Link to GitHub issue

Handle

hrkrshnn

Vulnerability details

Use 0.8.4

The version 0.8.4 includes an important low level inliner that can save gas. Upgrading MStableYieldSource.sol from 0.8.2 to 0.8.4 should improve gas.

#0 - PierrickGT
2021-08-16T22:48:01Z

PR: https://github.com/pooltogether/pooltogether-mstable/pull/6

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0xRajeev, hrkrshnn, shw

Labels

bug

duplicate

G (Gas Optimization)

mStableYieldSource

Awards

36.6656 USDC - $36.67

External Links

Link to GitHub issue

Handle

hrkrshnn

Vulnerability details

Replace an external call with the immutable variable

Context

@@ -59,7 +59,7 @@ contract MStableYieldSource is IYieldSource, ReentrancyGuard {

     /// @notice Approves of the max spend amount for the Savings contract.
     function approveMax() public {
-        IERC20(savings.underlying()).safeApprove(address(savings), type(uint256).max);
+        mAsset.safeApprove(address(savings), type(uint256).max);

         emit ApprovedMax(msg.sender);
     }

Instead of an expensive external call, the value would be replaced by a cheap push operation.

#0 - PierrickGT
2021-08-13T16:16:34Z

Duplicate of https://github.com/code-423n4/2021-07-pooltogether-findings/issues/19

PoolTogether micro contest #1 - hrkrshnn's results

A protocol for no loss prize savings on Ethereum

General Information

Findings Distribution

Researcher Performance

External Links

Gas Report - $354.78

Gas Report - $354.78

[G-02] Functions that can be made external - $26.40

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Function that can be made external

MStableYieldSource.sol

#0 - PierrickGT2021-08-06T16:51:45Z

[G-09] [Optimization] Shorten revert strings larger than 32 bytes - $90.53

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Consider shortening revert strings

#0 - PierrickGT2021-08-11T23:42:19Z

#1 - 0xean2021-08-24T17:37:09Z

#2 - PierrickGT2021-08-30T15:42:42Z

🚀 [G-10] [Optimization] Use 0.8.4 in MStableYieldSource.sol - $201.18

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Use 0.8.4

#0 - PierrickGT2021-08-16T22:48:01Z

[G-04] [Optimization] Replace an external call with the immutable variable - $36.67

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Replace an external call with the immutable variable

#0 - PierrickGT2021-08-13T16:16:34Z

#0 - PierrickGT
2021-08-06T16:51:45Z

#0 - PierrickGT
2021-08-11T23:42:19Z

#1 - 0xean
2021-08-24T17:37:09Z

#2 - PierrickGT
2021-08-30T15:42:42Z

#0 - PierrickGT
2021-08-16T22:48:01Z

#0 - PierrickGT
2021-08-13T16:16:34Z