Back to mahdirostami's contests

Basin - mahdirostami's results

A composable EVM-native decentralized exchange protocol.

General Information

Platform: Code4rena

Start Date: 03/07/2023

Pot Size: $40,000 USDC

Total HM: 14

Participants: 74

Period: 7 days

Judge: alcueca

Total Solo HM: 9

Id: 259

League: ETH

Basin

Findings Distribution

Researcher Performance

Rank: 35/74

Findings: 2

Award: $25.41

QA:
grade-a
Gas:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBasin

Findings Information

🌟 Selected for report: 0xprinc

Also found by: 0x11singh99, 0xAnah, 0xWaitress, 0xkazim, 2997ms, 33audits, 404Notfound, 8olidity, CRIMSON-RAT-REACH, CyberPunks, DanielWang888, Deekshith99, Eeyore, Eurovickk, Inspecktor, JGcarv, John, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Qeew, QiuhaoLi, Rolezn, TheSavageTeddy, Topmark, Trust, Udsen, a3yip6, alexzoid, bigtone, codegpt, erebus, fatherOfBlocks, ginlee, glcanvas, hunter_w3b, josephdara, kaveyjoe, kutugu, mahdirostami, max10afternoon, oakcobalt, peanuts, pfapostol, ptsanev, qpzm, radev_sw, ravikiranweb3, sces60107, seth_lawson, te_aut, twcctop, zhaojie, ziyou-

Awards

17.5208 USDC - $17.52

Labels

bug
grade-a
low quality report
QA (Quality Assurance)
Q-42

External Links

Link to GitHub issue

1.correct documentation in MultiFlowPump.sol

https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/pumps/MultiFlowPump.sol#L190-L196

-     *     `bytes16 blocksPassed`     <- log2(blocks)
+     *     `bytes16 blocksPassed`     <- blocks

2. Make a code similar and better understandable

in _capReserve function in MultiFlowPump.sol there is if statement make both cases like each other https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/pumps/MultiFlowPump.sol#L205-L216

        if (lastReserve.cmp(reserve) == 1) {
            bytes16 minReserve = lastReserve.add(blocksPassed.mul(LOG_MAX_DECREASE));
            // if reserve < minimum reserve, set reserve to minimum reserve
            if (minReserve.cmp(reserve) == 1) reserve = minReserve;
        }
        // Rerserve Increasing or staying the same.
        else {
            bytes16 maxReserve = blocksPassed.mul(LOG_MAX_INCREASE);
            maxReserve = lastReserve.add(maxReserve);
            // If reserve > maximum reserve, set reserve to maximum reserve
            if (reserve.cmp(maxReserve) == 1) reserve = maxReserve;
        }

         if (lastReserve.cmp(reserve) == 1) {
-            bytes16 minReserve = lastReserve.add(blocksPassed.mul(LOG_MAX_DECREASE));
+            bytes16 minReserve = blocksPassed.mul(LOG_MAX_DECREASE); //@audit qa better coding
+            minReserve = lastReserve.add(minReserve); 
             // if reserve < minimum reserve, set reserve to minimum reserve
             if (minReserve.cmp(reserve) == 1) reserve = minReserve;
         }

#0 - c4-pre-sort

2023-07-13T14:56:14Z

141345 marked the issue as high quality report

#1 - c4-pre-sort

2023-07-14T05:52:04Z

141345 marked the issue as low quality report

#2 - c4-judge

2023-08-04T21:15:38Z

alcueca marked the issue as grade-a

Findings Information

🌟 Selected for report: SM3_SS

Also found by: 0x11singh99, 0xAnah, 0xSmartContract, 0xn006e7, 0xprinc, DavidGiladi, ElCid, JCN, K42, MIQUINHO, Raihan, Rolezn, SAAJ, SY_S, Strausses, TheSavageTeddy, bigtone, erebus, hunter_w3b, josephdara, lsaudit, mahdirostami, oakcobalt, peanuts, pfapostol, seth_lawson

Awards

7.8853 USDC - $7.89

Labels

bug
G (Gas Optimization)
grade-b
high quality report
sponsor confirmed
edited-by-warden
G-20

External Links

Link to GitHub issue

1. Avoid extra computation by first checking if.

By first checking input values, avoid extra computation.

Instances 10:

     constructor(bytes16 _maxPercentIncrease, bytes16 _maxPercentDecrease, uint256 _blockTime, bytes16 _alpha) {
-        LOG_MAX_INCREASE = ABDKMathQuad.ONE.add(_maxPercentIncrease).log_2();
         // _maxPercentDecrease <= 100%
         if (_maxPercentDecrease > ABDKMathQuad.ONE) {
            revert InvalidMaxPercentDecreaseArgument(_maxPercentDecrease);
        }          
+        // ALPHA <= 1
+        if (_alpha > ABDKMathQuad.ONE) { 
+            revert InvalidAArgument(_alpha);}
+
+        LOG_MAX_INCREASE = ABDKMathQuad.ONE.add(_maxPercentIncrease).log_2();

https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/pumps/MultiFlowPump.sol#L57C3-L57C3 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/pumps/MultiFlowPump.sol#L64

     ) internal returns (uint256 amountOut) {
+        (uint256 i, uint256 j) = _getIJ(_tokens, fromToken, toToken); 
         IERC20[] memory _tokens = tokens();
         uint256[] memory reserves = _updatePumps(_tokens.length);
-        (uint256 i, uint256 j) = _getIJ(_tokens, fromToken, toToken);

https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L224 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L248 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L274 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L314 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L366 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L386 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L504 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L525

2. Avoid extra computation with better implementation

1.don't wait until finishing for loop

https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L738-L749

+        //@audit gas avoid extra
         for (uint256 k; k < _tokens.length; ++k) {
             if (iToken == _tokens[k]) {
                 i = k;
@@ -743,6 +750,9 @@ contract Well is ERC20PermitUpgradeable, IWell, IWellErrors, ReentrancyGuardUpgr
                 j = k;
                 foundJ = true;
             }
+            else if(foundI && foundJ){
+                return (i, j);
+            }
         }
         if (!foundI) revert InvalidTokens();
2. Duplicate check

In MultiFlowPump.sol we check ""// If a reserve is 0, then the pump cannot be initialized."" we recheck in init function.

                // If a reserve is 0, then the pump cannot be initialized.
                if (reserves[i] == 0) return;

https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/pumps/MultiFlowPump.sol#L85C1-L86

            if (reserves[i] == 0) return;

https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/pumps/MultiFlowPump.sol#L153

3. Cache array length if use it multiple times.

         IERC20[] memory _tokens = tokens();
-        uint256[] memory reserves = new uint256[](_tokens.length);
+        uint256 _tokenslength = _tokens.length;
+        uint256[] memory reserves = new uint256[](_tokenslength);
 
         // Use the balances of the pool instead of the stored reserves.
         // If there is a change in token balances relative to the currently
         // stored reserves, the extra tokens can be shifted into `tokenOut`.
-        for (uint256 i; i < _tokens.length; ++i) {
+        for (uint256 i; i < _tokenslength; ++i) {
             reserves[i] = _tokens[i].balanceOf(address(this));
         }

Instances 8: https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L358 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L381 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L420 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L451 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L467 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L578 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L592 https://github.com/code-423n4/2023-07-basin/blob/9403cf973e95ef7219622dbbe2a08396af90b64c/src/Well.sol#L605

#0 - c4-pre-sort

2023-07-13T13:03:46Z

141345 marked the issue as high quality report

#1 - c4-sponsor

2023-07-24T14:12:41Z

publiuss marked the issue as sponsor confirmed

#2 - c4-judge

2023-08-05T11:08:36Z

alcueca marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter