Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $50,000 USDC
Total HM: 31
Participants: 99
Period: 5 days
Judges: moose-code, JasoonS, denhampreen
Total Solo HM: 17
Id: 139
League: ETH
Rank: 34/99
Findings: 3
Award: $199.10
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Migration.sol#L48 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L471
transfer and transferFrom in Yieldy.sol return the bool if the execution is successful. You can check these return value in the following lines.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Migration.sol#L48 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L471
code review
require( IYieldy(OLD_YIELDY_TOKEN).transferFrom(msg.sender, address(this), userWalletBalance), "transfer is not completed" );
require( IYieldy(YIELDY_TOKEN).transfer(_recipient, IYieldy(YIELDY_TOKEN).tokenBalanceForCredits(info.credits)), "transfer is not completed" );
#0 - toshiSat
2022-06-27T23:41:09Z
#206
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, FudgyDRS, Funen, GalloDaSballo, GimelSec, JC, Kaiziron, Lambda, Limbooo, Metatron, MiloTruck, Noah3o6, Picodes, PumpkingWok, PwnedNoMore, Sm4rty, StErMi, TomJ, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ak1, antonttc, berndartmueller, cccz, cryptphi, csanuragjain, defsec, delfin454000, dipp, elprofesor, exd0tpy, fatherOfBlocks, hake, hansfriese, hubble, joestakey, kenta, ladboy233, mics, oyc_109, pashov, pedr02b2, reassor, robee, samruna, scaraven, shung, sikorico, simon135, sseefried, tchkvsky, unforgiven, zzzitron
53.1414 USDC - $53.14
2022-06-yieldy
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/BatchRequests.sol#L86
@notice remove the address from contracts array
The pram _address must be checked if the _address is empty or not.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/BatchRequests.sol#L81-L83
require(_address != address(0), “EMPTY ADDRESS”);
According to the solidity doc, Constants should be named with all capital letters with underscores separating words. However, it is not for the immutable.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Migration.sol#L14-L16
Foe example,
address public immutable oldContract;
🌟 Selected for report: BowTiedWardens
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 0xmint, 8olidity, ACai, Bnke0x0, Chom, ElKu, Fabble, Fitraldys, FudgyDRS, Funen, GalloDaSballo, GimelSec, IllIllI, JC, Kaiziron, Lambda, Limbooo, MiloTruck, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RedOneN, Sm4rty, StErMi, TomJ, Tomio, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ajtra, antonttc, asutorufos, bardamu, c3phas, defsec, delfin454000, exd0tpy, fatherOfBlocks, hansfriese, ignacio, joestakey, kenta, ladboy233, m_Rassska, mics, minhquanym, oyc_109, pashov, reassor, robee, s3cunda, sach1r0, saian, sashik_eth, scaraven, sikorico, simon135, slywaters
26.7051 USDC - $26.71
2022-06-yieldy gas optimization
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L43-L46
WAD = 10_decimal; rebasingCreditsPerToken = 10_decimal; _setIndex(10**_decimal);
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L83
require(currentTotalSupply > 0, "Can't rebase if not circulating");
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L122 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L129
uint256 totalSupply = _totalSupply; And this cache for the above lines.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L124 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L130
uint256 index = getIndex(); And this cache for above lines.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L255 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L257
uint256 updatedTotalSupply = _totalSupply + _amount; And this cache for above lines.
creditBalances[_address] is defined as a cache with line 285. Use it for the following line.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L288
Before the following line, the underflow is already checked with line 286. Use unchecked for the calculation.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L288
unchecked { creditBalances[_address] = creditBalances[_address] - creditAmount; }
_allowances[_from][msg.sender] is used twice in transferFrom. Use cache for them.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L210 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L212
For example, uint256 allowance = _allowances[_from][msg.sender]; Use it for the above lines.
creditBalances[msg.sender] is used twice in transfer. Use a cache and use it for the following lines.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L190 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Yieldy.sol#L192
For example, uint256 currentCreditBalance = creditBalances[msg.sender];
tokeRewardContract is used only one time in laimFromTokemak. Do not use the cache for it.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L120
ITokeReward(TOKE_REWARD).tokeRewardContract.claim(_recipient, _v, _r, _s);
IERC20Upgradeable(TOKE_TOKEN) is used twice in transferToke. Use a cache to save gas costs.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L144 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L147
IERC20Upgradeable tokeToken = IERC20Upgradeable(TOKE_TOKEN);
Use it for the above lines.
Both are used only one time each other. Don’t use these caches.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L279 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L280 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L299 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L334 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L343 https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L372
RequestedWithdrawalInfo memory requestedWithdrawals = ITokePool(TOKE_POOL).requestedWithdrawals(address(this)); uint256 currentCycleIndex = ITokeManager(TOKE_MANAGER).getCurrentCycleIndex();
You use this cache only two times in this function, so storage is cheaper than memory.
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L466
https://github.com/code-423n4/2022-06-yieldy/blob/main/src/contracts/Staking.sol#L716
unchecked {
epoch.distribute = balance - staked;
}