Platform: Code4rena
Start Date: 17/02/2022
Pot Size: $75,000 USDC
Total HM: 7
Participants: 23
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 2
Id: 92
League: ETH
Rank: 18/23
Findings: 2
Award: $329.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
198.7502 USDC - $198.75
2022-02-tribe-turbo
1 Delete unused variable.
It seems that pool is used only in constructor and this variable will not be called from other contracts.
Delete the following line if it is really used only in constructor
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L35
add
Comptroller pool = master.pool(); into constructor.
2 Delete unused param in function.
The second uint256 is defined, but not used.
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L138 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L146
3 Delete unused variable.
It seems that fei is used only in constructor.
If so, you can delete the following line
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboSavior.sol#L31
and change next line
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboSavior.sol#L54
to Fei fei = Fei(address(master.fei()));
4 Use safeIncreaseAllowance instead of safeApprove.
Openzeppelin recommends that
I think you can use in this case safeIncreaseAllowance.
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L194
5 No description about the cause of revert.
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboSavior.sol#L106 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboGibber.sol#L81 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboGibber.sol#L100
#0 - GalloDaSballo
2022-03-20T15:01:38Z
Formatting is non existant, however links were provided making the report actionable.
Disagree as it's part of interface
Same
3)Same
Arguable, dependent on sponsor reply, in this case they acknowledge so let's make this one valid
Informational level finding
2/ 10
2022-02-tribe-turbo Gas Optimization
1 Emit event at the end of the function to save gas.
There are so many places in which events will be emitted in the middle of a function. I know that the position of events does not matter. But I checked and confirmed that gas will be saved with the position of the event. you can save gas if you emit your events at the end of functions.
2 Delete unused import statement.
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L13
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboGibber.sol#L4
3 Delete unused params in canSafeBoostVault.
safe and feiAmount are not used in canSafeBootVault, so you can delete these params.
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboBooster.sol#L100-L113
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L232-L242
And following import statement will be deleted too.
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboBooster.sol#L8
4 Input validation can save gas in case the auth will try to update with the present frozen state.
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboBooster.sol#L37-L42
Add require(freeze != frozen, “frozen will be not updated”);
5 code duplication
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboGibber.sol#L83-L92
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboGibber.sol#L111-L120 Create an internal function to save gas. For example
function _impound(
TurboSafe safe,
uint256 feiAmount,
uint256 assetAmount,
address to
) internal {
Emit ImpoundExecuted(msg.sender, safe, feiAmount, assetAmount);
fei.mint(address(this), feiAmount);
require(feiTurboCToken.repayBorrowBehalf(address(safe), feiAmount) ==0, “REPAY_FAILED”);
safe.gib(to, assetAmount);
}
and use it in Impound and impoundAll.
6 input validation for amount or shares can save gas if they are zero.
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L49 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L57-L64 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L74 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L84 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L94 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L104 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L118 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L122 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L126 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L130
7 Delete unused import statement.
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboGibber.sol#L4
#0 - GalloDaSballo
2022-03-07T01:37:59Z
I think removing parameters would cause breaking changes to the interfaces Unused imports save no gas Order of events may just be a change in the compiler, probably not worth pursuing / random noise result Adding an extra check for the require makes the call cost more when done normally Lastly, inlining is cheaper (in gas cost when using the function) than adding a function as you are not jumping to the code
I'll rate this 2/10