Platform: Code4rena
Start Date: 04/11/2021
Pot Size: $50,000 USDC
Total HM: 20
Participants: 28
Period: 7 days
Judge: 0xean
Total Solo HM: 11
Id: 51
League: ETH
Rank: 19/28
Findings: 3
Award: $482.75
π Selected for report: 3
π Solo Findings: 0
mics
one-phase ownership transfer sometimes used wrong and the ownership is transferred to a not existing account. The safe way to use it is to suggest new owner and then the new owner should claim its ownership.
InvestorDistribution line 212
#0 - chickenpie347
2022-01-04T02:21:29Z
Duplicate of #90
π Selected for report: mics
290.7617 USDC - $290.76
mics
safeApprove is now deprecated, see the link below. https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38.
This appears for example in line 499 of AirdropDistribution.sol.
we recommend as in OpenZepplin documentation βwhenever possible, use safeIncreaseAllowance and safeDecreaseAllowance insteadβ.
8.1808 USDC - $8.18
mics
Use unchecked where overflow isn't an option to save GAS. For example PublicSale.sol line 34
you have a require b <= a before and therefore cannot be overflow in uint256 c = a - b;
#0 - 0xean
2022-01-08T23:10:45Z
duplicate of #261
π Selected for report: mics
44.8876 USDC - $44.89
mics
You could use the variable d instead of defining a new variable y at line 548 of SwapUtils.sol
π Selected for report: mics
44.8876 USDC - $44.89
mics
Use calldata instead of memory for function parameters In some cases, having function arguments in calldata instead of memory is more optimal.
Consider the following generic example:
contract C { function add(uint[] memory arr) external returns (uint sum) { uint length = arr.length; for (uint i = 0; i < arr.length; i++) { sum += arr[i]; } } } In the above example, the dynamic array arr has the storage location memory. When the function gets called externally, the array values are kept in calldata and copied to memory during ABI decoding (using the opcode calldataload and mstore). And during the for loop, arr[i] accesses the value in memory using a mload. However, for the above example this is inefficient. Consider the following snippet instead:
contract C { function add(uint[] calldata arr) external returns (uint sum) { uint length = arr.length; for (uint i = 0; i < arr.length; i++) { sum += arr[i]; } } } In the above snippet, instead of going via memory, the value is directly read from calldata using calldataload. That is, there are no intermediate memory operations that carries this value.
Gas savings: In the former example, the ABI decoding begins with copying value from calldata to memory in a for loop. Each iteration would cost at least 60 gas. In the latter example, this can be completely avoided. This will also reduce the number of instructions and therefore reduces the deploy time cost of the contract.
In short, use calldata instead of memory if the function argument is only read.
Note that in older Solidity versions, changing some function arguments from memory to calldata may cause "unimplemented feature error". This can be avoided by using a newer (0.8.*) Solidity compiler.
(non-exhaustive) List of Examples: SwapUtils line 639 USDPoolDelegator line 53 Swap.sol line 135
mics
At SwapUtils lines 537 , 538 xp[i] is read twice from memory instead of caching it as a local variable xpi and using it instead.
#0 - chickenpie347
2022-01-03T23:20:26Z
Duplicate of #13