Back to leosathya's contests

Frax Ether Liquid Staking contest - leosathya's results

A liquid ETH staking derivative designed to uniquely leverage the Frax Finance ecosystem.

General Information

Platform: Code4rena

Start Date: 22/09/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 133

Period: 3 days

Judge: 0xean

Total Solo HM: 2

Id: 165

League: ETH

Frax Finance

Findings Distribution

Researcher Performance

Rank: 37/133

Findings: 2

Award: $69.35

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFrax Finance

Findings Information

🌟 Selected for report: rotcivegaf

Also found by: 0x040, 0x1f8b, 0x4non, 0xNazgul, 0xSmartContract, 0xf15ers, 8olidity, Aymen0909, B2, Bahurum, Bnke0x0, Ch_301, CodingNameKiki, Deivitto, Diana, Funen, IllIllI, JC, JLevick, KIntern_NA, Lambda, OptimismSec, PaludoX0, RockingMiles, Rolezn, Sm4rty, Soosh, Tagir2003, Tointer, TomJ, Triangle, Trust, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, asutorufos, ayeslick, aysha, bbuddha, bharg4v, bobirichman, brgltd, bytera, c3phas, cryptostellar5, cryptphi, csanuragjain, datapunk, delfin454000, durianSausage, exd0tpy, gogo, got_targ, jag, joestakey, karanctf, ladboy233, leosathya, lukris02, mics, millersplanet, natzuu, neko_nyaa, obront, oyc_109, parashar, peritoflores, rbserver, ret2basic, rokinot, ronnyx2017, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, tnevler, yasir, yongskiws

Awards

56.5427 USDC - $56.54

Labels

bug
QA (Quality Assurance)
edited-by-warden

External Links

Link to GitHub issue

[L-01] Use Of Depricated Solidity Functions

Several functions and operators in Solidity are deprecated. Using them leads to reduced code quality. With new major versions of the Solidity compiler, deprecated functions and operators may result in side effects and compile errors.

There are 5 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L77 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L85 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L87 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L90-L95 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L129-L137

Solidity provides alternatives to the deprecated constructions. Most of them are aliases, thus replacing old constructions will not break current behavior. For example, sha3 can be replaced with keccak256

[L-02] Use Require Instead of Assert

Assert Consume all gases when a function call failed, Where as Require returns all remaining gas to caller on same situation, so on gas saving point of view its recommended to use require() instead of assert()

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L158

[L-03] Floating Pragma

Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.

There are 7 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L02 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/ERC20/ERC20PermitPermissionedMint.sol#L02 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETH.sol#L02 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/sfrxETH.sol#L02 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/IsfrxETH.sol#L2 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L02 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L02

[L-04] Absence of Zero Address Check

Write code for Zero address check before assigning them to state variable .

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/ERC20/ERC20PermitPermissionedMint.sol#L34 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L61-L62

[L-05] _to Address not checked before making low level function calling

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L170

_to address should be checked if it was Zero address or not

[L-06] Instead of using transfer/transferFrom use SafeTransfer/SafeTransferFrom

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L200

[N-01] Visibility for Variables and Array not present

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L36 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L37 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L69-L72

Should add visibility to them.

[N-02] removeValidator() Function logic can be Improved

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L106-L119

Instead of Deleting whole array, and then pushing individuals into a new except the one(that need to delet from array), there could be a more better gas efficient approch for this,

. Step-1 : Find the Index which need to be removed

. Step-2 : From That index iterate to the last index of array With each iteration you have to swap current index with upcoming one i.e swap i with i+1

. Step-3 : When loop ends, your require number(Validator) will be on Array's last position So simply Pop it out

[N-03] Contract does not follow proper Solidity Code Structure

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L208-L216 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/ERC20/ERC20PermitPermissionedMint.sol#L102-L107 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L205-L213

events should declared on top of the contract.

Findings Information

🌟 Selected for report: pfapostol

Also found by: 0x040, 0x1f8b, 0x4non, 0x5rings, 0xA5DF, 0xNazgul, 0xSmartContract, 0xmatt, 0xsam, Amithuddar, Aymen0909, B2, Ben, Bnke0x0, Chom, CodingNameKiki, Deivitto, Diana, Fitraldys, Funen, IllIllI, JAGADESH, JC, Metatron, Ocean_Sky, PaludoX0, Pheonix, RaymondFam, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Satyam_Sharma, Sm4rty, SnowMan, SooYa, Tagir2003, TomJ, Tomio, Triangle, V_B, Waze, __141345__, ajtra, albincsergo, asutorufos, aysha, beardofginger, bobirichman, brgltd, bulej93, bytera, c3phas, ch0bu, cryptostellar5, cryptphi, d3e4, delfin454000, dharma09, drdr, durianSausage, emrekocak, erictee, fatherOfBlocks, gogo, got_targ, imare, jag, karanctf, ladboy233, leosathya, lukris02, medikko, mics, millersplanet, natzuu, neko_nyaa, oyc_109, peanuts, prasantgupta52, rbserver, ret2basic, rokinot, ronnyx2017, rotcivegaf, sach1r0, samruna, seyni, slowmoses, tnevler, wagmi, zishansami

Awards

12.811 USDC - $12.81

Labels

bug
G (Gas Optimization)
edited-by-warden

External Links

Link to GitHub issue

[G-01] For loop can be Optimizable

There are 8 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L63 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L84 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L114 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/ERC20/ERC20PermitPermissionedMint.sol#L84 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L129 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L76 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L83 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L148

. Should not initialize uint with default value i.e uint i=0 TO uint i; . Should uncheck i++

[G-02] removeValidator() Function logic can be Improved

Instead of Deleting whole array, and then pushing individuals into a new except the one(that need to delet from array), there could be a more better gas efficient approch for this,

. Step-1 : Find the Index which need to be removed

. Step-2 : From That index iterate to the last index of array With each iteration you have to swap current index with upcoming one i.e swap i with i+1

. Step-3 : When loop ends, your require number(Validator) will be on Array's last position So simply Pop it out

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/OperatorRegistry.sol#L106-L119

[G-03] Function that could be External

The functions which not called inside that contract, by making them external you can save some gas during deployment.

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/sfrxETH.sol#L54

Make Those functions external.

[G-04] Assigning default value to uints

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L63-L64

Uints by default value is 0. So by assigning 0 values to them, contract consume extra gas

[G-05] >= Costs less gas than >

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L143

Try to use >= whenever possible instead of >

[G-06] <x> = <x> + <y> is more gas efficient than use of <x> += <y>

In many instances <x> += <y> This type of syntax are used, Those can optimized to previous one i.e <x> = <x> + <y>

There are 6 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L97 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L168 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L146

[G-07] Constant variables should be Fixed value, Instead of Formula

Constant Variables value should be a value of that type, Try to avoid assigning them with any formula, that cause more gas as some computaion will goes on. Do computation on your own, just assign value only.

There are 1 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L67

[G-08] Divide and Multiplication can replace by Bit shifts which will reduce the gas

Bit Shifts costs less gas than actual arithmetic calculation, So its recommended to use left or right shift whenever possible instead of multiplication and division

There are 3 instances of this issue:

** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L88 ** File : ** => https://github.com/code-423n4/2022-09-frax/blob/main/src/DepositContract.sol#L154

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter