Platform: Code4rena
Start Date: 24/03/2023
Pot Size: $49,200 USDC
Total HM: 20
Participants: 246
Period: 6 days
Judge: Picodes
Total Solo HM: 1
Id: 226
League: ETH
Rank: 136/246
Findings: 2
Award: $23.92
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: brgltd
Also found by: 0x3b, 0xAgro, 0xGusMcCrae, 0xNorman, 0xRajkumar, 0xSmartContract, 0xTraub, 0xWagmi, 0xWaitress, 0xffchain, 0xhacksmithh, 0xkazim, 0xnev, 3dgeville, ArbitraryExecution, Aymen0909, BRONZEDISC, Bason, Bloqarl, BlueAlder, Brenzee, CodeFoxInc, CodingNameKiki, Cryptor, DadeKuma, DevABDee, Diana, Dug, Englave, Gde, Haipls, HollaDieWaldfee, Ignite, Infect3d, Jerry0x, Josiah, Kaysoft, Koko1912, KrisApostolov, Lavishq, LeoGold, Madalad, PNS, Rappie, RaymondFam, RedTiger, Rickard, Rolezn, Sathish9098, SunSec, T1MOH, UdarTeam, Udsen, Viktor_Cortess, Wander, adriro, ak1, alejandrocovrr, alexzoid, arialblack14, ayden, bin2chen, brevis, btk, c3phas, carlitox477, catellatech, ch0bu, chaduke, ck, climber2002, codeslide, descharre, dingo2077, ernestognw, fatherOfBlocks, favelanky, georgits, helios, hl_, inmarelibero, juancito, ks__xxxxx, lopotras, lukris02, m_Rassska, mahdirostami, maxper, nadin, navinavu, nemveer, p_crypt0, peanuts, pipoca, pixpi, qpzm, rbserver, reassor, roelio, rotcivegaf, scokaf, siddhpurakaran, slvDev, smaul, tnevler, tsvetanovv, turvy_fuzz, vagrant, wen, yac, zzzitron
13.1298 USDC - $13.13
SafEth.sol L214 (function setMinAmount) and L223 (function setMaxAmount): there should be a test that min amount < max amount in order to not prevent user to use the contract (temporarily).
Reth.sol L121 (function poolCanDeposit) and L158 (function deposit): the snippet to get rocketDepositPoolAddress should be factorized into a private function to avoid code duplication
Reth.sol L187 (function deposit) and L229 (function poolPrice): the snippet to get rocketTokenRETHAddress is the exact same as the function rethAddress which should just be called to avoid code duplication.
#0 - c4-sponsor
2023-04-07T21:51:11Z
toshiSat marked the issue as sponsor acknowledged
#1 - c4-judge
2023-04-24T17:16:30Z
Picodes marked the issue as grade-b
🌟 Selected for report: Rolezn
Also found by: 0x3b, 0xGordita, 0xSmartContract, 0xhacksmithh, 0xnev, 0xpanicError, 4lulz, Angry_Mustache_Man, ArbitraryExecution, Aymen0909, Bason, BlueAlder, EvanW, Franfran, HHK, Haipls, IgorZuk, JCN, KrisApostolov, Madalad, MiksuJak, MiniGlome, RaymondFam, ReyAdmirado, Rickard, Sathish9098, Udsen, adriro, alexzoid, anodaram, arialblack14, c3phas, carlitox477, ch0bu, chaduke, codeslide, d3e4, dicethedev, ernestognw, fatherOfBlocks, georgits, hunter_w3b, inmarelibero, lukris02, mahdirostami, maxper, pavankv, pixpi, rotcivegaf, smaul, tank, tnevler, wen, yac
10.7864 USDC - $10.79
SafEth.sol L75 and L81, L94 and L98 (function stake): don't divide by 1018 to then multiply by 1018 (a/1018 + b/1018 = (a+b)/10**18)
SafEth.sol L148 (function rebalanceToWeights): ethAmountToRebalance is not updated in the loop so the check can just be done before the loop to avoid checking the same thing at each iteration.
SafEth.sol L172 (function adjustWeight): the new total can be computed without looping over each derivative: new total = old total - old weight + new weight
SafEth.sol L192 (function addDerivative): the new total can be computed without looping over each derivative: new total = old total + new weight
SafEth.sol L165 (function adjustWeight) and L182 (function addDerivative): the new weight should be checked to not be 0. As it is the only place where it is modified, this would allow to remove later checks that it is not 0 (L87 and L148) which should be called more frequently thus saving gas for users. If needed, a function "removeDerivative" can be added and should be more efficient by allowing to not loop over derivative which otherwise would have been deactivated by setting their weight to 0.
Reth.sol L70 (function rethAddress), L190 (function deposit) and L232 (function poolPrice): keccak256(abi.encodePacked("contract.address", "rocketTokenRETH")) can be computed offchain (it never changes).
Reth.sol L125 (function poolCanDeposit) and L161 (function deposit): keccak256(abi.encodePacked("contract.address", "rocketDepositPool")) can be computed offchain (it never changes).
Reth.sol L135 (function poolCanDeposit): keccak256(abi.encodePacked("contract.address","rocketDAOProtocolSettingsDeposit")) can be computed offchain (it never changes).
Reth.sol L215 (function ethPerDerivative): there is no need to divide by 1018 and then multiply by 1018 (a*b/b = a)/
#0 - c4-sponsor
2023-04-07T21:46:36Z
toshiSat marked the issue as sponsor acknowledged
#1 - c4-judge
2023-04-23T14:55:41Z
Picodes marked the issue as grade-b