Tribe Turbo contest - nascent's results
A new DeFi primitive that allows any token to become productive and provide FEI liquidity at no cost to the markets that need it most.
General Information
Platform: Code4rena
Start Date: 17/02/2022
Pot Size: $75,000 USDC
Total HM: 7
Participants: 23
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 2
Id: 92
League: ETH
Findings Distribution
Researcher Performance
Rank: 10/23
Findings: 2
Award: $2,053.28
🌟 Selected for report: 1
🚀 Solo Findings: 0
Findings Information
Awards
1077.9969 USDC - $1,078.00
Labels
External Links
[L-01] Remove Optimized Unchecked Operations
Severity: Medium Likelihood: Low Status: {Not Submitted} Scopes
TurboSafe:boost()TurboSafe:less()TurboSafe:slurp()TurboMaster:onSafeBoost()TurboMaster:onSafeLess()TurboMaster:onSafeSlurp()
Unchecked operations on balance state variables expose attack surfaces to create inconsistent state. Consider enforcing safe arithmetic by removing the unchecked gas optimizations.
[L-02] Inconsistent Fee Percent Denomination
Severity: Medium
Likelihood: Low
Status: {Not Submitted}
Scope: TurboClerk
The fee percent managed by clerk is denominated with 1e18 decimals. But when the fee is used by composed modules, it expects the vault's asset to use a WAD denomination (as used in FixedPointMathLib).
This works for fei calculations, but TurboSafe accepts any ERC20 compliant asset. Thus, ERC20s can effectively avoid Turbo fees by specifying a large decimal count.
Recommendation: TurboClerk should denominate safe and collateral fee percents in the ERC20 decimal count instead of using an upper bounds of 1e18.
[L-04] Extend TurboRouter Authentication
Severity: Low
Likelihood: Low
Status: {Not Submitted}
Scope: TurboRouter:authenticate
TurboRouter authenticates TurboSafe interactions solely by the safe's authority owner rather than permissioning on the canonical canCall Authority pattern defined in solmate. The authenticate modifier could accept a function signature to validate if the sender can call the function (signature) on the given target.
Recommendation: Authenticate on owner or if the msg.sender can call the given function (signature).
#0 - Joeysantoro
2022-02-26T20:45:06Z
#1 - Joeysantoro
2022-02-26T20:52:41Z
For L-01 https://github.com/fei-protocol/tribe-turbo/pull/64
L-02 is not an issue, the quantities are distinct
#2 - GalloDaSballo
2022-03-20T14:46:13Z
Agree with points 1 and 4 I have to comment the formatting and presentation of the report which are stellar.
Findings are interesting a more unique than the usual "no check for address(0) XD" reports
#3 - GalloDaSballo
2022-03-20T15:02:08Z
5/10, extra point for presentation
#4 - GalloDaSballo
2022-03-20T15:38:19Z
After adding #42 , because of the exceptional detail and presentation, I believe 6/10 to be the proper score.
Ultimately had the Warden added a few of the lower importance finding I believe this would have easily been the best report from the contest
Findings Information
[L-00] slurp SLOAD Gas Optimization
Severity: Gas Optimization
Likelihood: High
Status: {Not Submitted}
Scope: slurp()
There are two sloads of getTotalFeiBoostedForVault[vault] that can be gas golfed using an mload to reduce gas by 100 - 3.
[L-03] save SLOAD Gas Optimization
Severity: Gas Optimization
Likelihood: Medium
Status: {Not Submitted}
Scope: save()
There are two calls of pool.oracle() that can be gas golfed using an mload to reduce gas by 100 - 3.
#0 - transmissions11
2022-02-24T19:41:14Z
good finds, ty
#1 - GalloDaSballo
2022-03-07T01:35:17Z
L-00 Agree with finding, each time we're reading from memory we're saving 97 gas at the cost of 3 for the initial cache. - 191
L-03 Same idea - 94
285 gas saved