Platform: Code4rena
Start Date: 14/09/2022
Pot Size: $50,000 USDC
Total HM: 25
Participants: 110
Period: 5 days
Judge: hickuphh3
Total Solo HM: 9
Id: 162
League: ETH
Rank: 49/110
Findings: 2
Award: $89.45
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Respx
Also found by: 0x1f8b, 0xDecorativePineapple, 0xNazgul, 0xPanas, 0xSmartContract, 0xc0ffEE, 0xmuxyz, Aymen0909, Bahurum, Bnke0x0, CodingNameKiki, Deivitto, Jeiwan, Lambda, Picodes, PwnPatrol, R2, RaymondFam, Rolezn, Ruhum, Saintcode_, SooYa, Tointer, V_B, ajtra, ak1, async, auditor0517, brgltd, c3phas, carrotsmuggler, cccz, csanuragjain, datapunk, djxploit, durianSausage, eierina, erictee, gogo, imare, joestakey, jonatascm, kv, ladboy233, leosathya, lukris02, oyc_109, pashov, pauliax, rbserver, robee, rokinot, rvierdiiev, scaraven, simon135, unforgiven, wagmi, zzzitron
36.6223 USDC - $36.62
createNewMarket have inverted condition checkhttps://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L187-L193
The function createNewMarket incorrect revert if input with zero address because of inverted order of if conditions.
Is recommended to follow the code snippet:
function createNewMarket(...) ... { + if(controller == address(0)) + revert ControllerNotSet(); if( IController(controller).getVaultFactory() != address(this) ) revert AddressFactoryNotInController(); - if(controller == address(0)) - revert ControllerNotSet(); ... }
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L97
The event is declared but not used.
Is recommended to either add emit to event in correct function or remove it.
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L425
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/oracles/PegOracle.sol#L76-#82
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/oracles/PegOracle.sol#L105
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/oracles/PegOracle.sol#L128
Some functions return already return named variables, this is not needed
Is recommended to follow the code snippet:
//Function with already named return: amount function randomFnc(uint256 x) external returns(uint256 amount){ amount = x * 2; //Is not necessary to return amount //return amount; } //In PegOracle.sol - nowPrice = nowPrice * decimals10; + nowPrice = (nowPrice * decimals10) / 1000000; - return ( - roundID1, - nowPrice / 1000000, - startedAt1, - timeStamp1, - answeredInRound1 - );
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L308
Some bugs happens because of invalid inputs, it's a good pattern to check if input values are valid or inside a range
Is recommended to follow this changes:
function changeTreasury(address _treasury, uint256 _marketIndex) public onlyAdmin { + if(_treasury == address(0)) + revert AddressZero(); treasury = _treasury; ... }
🌟 Selected for report: pfapostol
Also found by: 0x040, 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, 0xc0ffEE, 0xkatana, Aymen0909, Bnke0x0, Deivitto, Diana, JAGADESH, KIntern_NA, Lambda, MiloTruck, R2, RaymondFam, Respx, ReyAdmirado, Rohan16, RoiEvenHaim, Rolezn, Ruhum, Saintcode_, Samatak, Sm4rty, SnowMan, Tomio, Tomo, WilliamAmbrozic, _Adam, __141345__, ajtra, ak1, async, c3phas, ch0bu, cryptostellar5, d3e4, delfin454000, dharma09, djxploit, durianSausage, eierina, erictee, fatherOfBlocks, gianganhnguyen, gogo, ignacio, imare, jag, jonatascm, leosathya, lukris02, malinariy, oyc_109, pashov, pauliax, peanuts, peiw, prasantgupta52, robee, rokinot, rotcivegaf, rvierdiiev, seyni, simon135, slowmoses, sryysryy, tnevler, zishansami
52.8286 USDC - $52.83
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/VaultFactory.sol#L195
++i costs less gas compared to i++ or i += 1 for unsigned integers. This is because the pre-increment operation is cheaper (about 5 GAS per iteration).
Is recommended to follow this code snippet:
- marketIndex += 1; + ++marketIndex;
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L438
Functions with the public visibility modifier cost more gas than external
Is recommended to use external instead of public in functions that will be only used externally, example:
contract Test { string message = "Hello World"; // Execution cost: 24527 function test() public view returns (string memory){ return message; } //Execution cost: 24505 function test2() external view returns (string memory){ return message; } }
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/Vault.sol#L443
The loops aren't optimized.
Default values don't need to be declared
- uint256 i = 0; - bool flag = false; + uint256 i; + bool flag;
Cache array length
- for (...; i < epochsLength(); ...) { + uint256 eLength = epochsLength(); + for (...; i < eLength; ...) {
Uncheck loop and use ++i
- for (...; ...; i++) { + for (...; ...;) { ... + unchecked{ ++i; } }
Follow this code to save gas:
- for (uint256 i = 0; i < epochsLength(); i++) { + uint256 eLength = epochsLength(); + for (uint256 i; i < eLength;) { ... + unchecked{ ++i; } }
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/rewards/StakingRewards.sol#L36
Declaring default values for variables cost more gas.
Follow this code snippet:
- uint256 i = 0; - bool flag = false; + uint256 i; + bool flag;
#0 - HickupHH3
2022-11-08T14:41:54Z
Default values don't need to be declared
15k gas savings from this