Overlay Protocol contest - pants's results

A protocol for trading #DeFi data streams.

General Information

Platform: Code4rena

Start Date: 16/11/2021

Pot Size: $50,000 ETH

Total HM: 11

Participants: 17

Period: 7 days

Judge: LSDan

Total Solo HM: 8

Id: 49

League: ETH

Overlay Protocol

Findings Distribution

Researcher Performance

Rank: 14/17

Findings: 2

Award: $341.63

🌟 Selected for report: 3

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Overlay Protocol

Findings Information

🌟 Selected for report: pauliax

Also found by: Meta0xNull, pants, ye0lde

Labels

bug

duplicate

1 (Low Risk)

Awards

0.0302 ETH - $139.60

External Links

Link to GitHub issue

Handle

pants

Vulnerability details

These files has open TODOs:

OverlayV1OVLCollateral.sol
OverlayV1OI.sol

Impact

Open TODOs can hint at programming or architectural errors that still need to be fixed.

Tool Used

Manual code review.

Recommended Mitigation Steps

Resolve these TODOs and bubble up the errors.

#0 - mikeyrf
2021-12-07T00:07:53Z

duplicate #116

Findings Information

🌟 Selected for report: pants

Labels

bug

G (Gas Optimization)

sponsor acknowledged

Awards

0.0161 ETH - $74.28

External Links

Link to GitHub issue

Handle

pants

Vulnerability details

The function OverlayV1UniswapV3Market.fetchPricePoint() line 120/121 performs unnecessary castings from uint to uint256 whice are the same.

Impact

These castings increase gas costs.

Tool Used

Manual code review.

Recommended Mitigation Steps

Remove these unnecessary castings.

Findings Information

🌟 Selected for report: pants

Also found by: harleythedog

Labels

bug

G (Gas Optimization)

sponsor disputed

Awards

0.0072 ETH - $33.42

External Links

Link to GitHub issue

Handle

pants

Vulnerability details

These state variables can be immutables since they are only set once, at the constructor:

OverlayV1OI.compoundingPeriod
OverlayV1OI.compounded

Impact

Reading from immutable state variables is much cheaper than from regular state variables.

Proof of Concept

https://blog.soliditylang.org/2020/05/13/immutable-keyword/

Tool Used

Manual code review.

Recommended Mitigation Steps

Define these state variables as immutables.

#0 - mikeyrf
2021-12-08T21:28:32Z

sponsor disputed reason - compounded is used in L159 of OverlayV1Market.sol when funding is paid, so shouldn't be immutable.

#1 - dmvt
2021-12-20T20:46:56Z

This report is still valid for OverlayV1OI.compoundingPeriod

Findings Information

🌟 Selected for report: WatchPug

Also found by: pants, ye0lde

Labels

bug

duplicate

G (Gas Optimization)

Awards

0.0043 ETH - $20.05

External Links

Link to GitHub issue

Handle

pants

Vulnerability details

These functions contain require statement with messages longer than 32 bytes, meaning they cant get into bytes32 which will save gas:

OverlayTokenNew._approve() line 403, 404

Impact

When transactions revert, the require will be forced to use bytes instead of bytes32 and will waste more gas.

Tool Used

Manual code review.

Recommended Mitigation Steps

Reduce the message by a few letters to fit it into 32 chars.

#0 - mikeyrf
2021-12-07T15:28:58Z

duplicate #65

Findings Information

🌟 Selected for report: pants

Labels

bug

G (Gas Optimization)

sponsor acknowledged

Awards

0.0161 ETH - $74.28

External Links

Link to GitHub issue

Handle

pants

Vulnerability details

The function OverlayV1UniswapV3Market.fetchPricePoint() line 120/121 performs unnecessary castings from uint to uint256 whice are the same.

Impact

These castings increase gas costs.

Tool Used

Manual code review.

Recommended Mitigation Steps

Remove these unnecessary castings.

Findings Information

🌟 Selected for report: pants

Also found by: harleythedog

Labels

bug

G (Gas Optimization)

sponsor disputed

Awards

0.0072 ETH - $33.42

External Links

Link to GitHub issue

Handle

pants

Vulnerability details

These state variables can be immutables since they are only set once, at the constructor:

OverlayV1OI.compoundingPeriod
OverlayV1OI.compounded

Impact

Reading from immutable state variables is much cheaper than from regular state variables.

Proof of Concept

https://blog.soliditylang.org/2020/05/13/immutable-keyword/

Tool Used

Manual code review.

Recommended Mitigation Steps

Define these state variables as immutables.

#0 - mikeyrf
2021-12-08T21:28:32Z

sponsor disputed reason - compounded is used in L159 of OverlayV1Market.sol when funding is paid, so shouldn't be immutable.

#1 - dmvt
2021-12-20T20:46:56Z

This report is still valid for OverlayV1OI.compoundingPeriod

Findings Information

🌟 Selected for report: WatchPug

Also found by: pants, ye0lde

Labels

bug

duplicate

G (Gas Optimization)

Awards

0.0043 ETH - $20.05

External Links

Link to GitHub issue

Handle

pants

Vulnerability details

These functions contain require statement with messages longer than 32 bytes, meaning they cant get into bytes32 which will save gas:

OverlayTokenNew._approve() line 403, 404

Impact

When transactions revert, the require will be forced to use bytes instead of bytes32 and will waste more gas.

Tool Used

Manual code review.

Recommended Mitigation Steps

Reduce the message by a few letters to fit it into 32 chars.

#0 - mikeyrf
2021-12-07T15:28:58Z

duplicate #65

Overlay Protocol contest - pants's results

A protocol for trading #DeFi data streams.

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $139.60

[L-12] Open TODOs - $139.60

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Vulnerability details

Impact

Tool Used

Recommended Mitigation Steps

#0 - mikeyrf2021-12-07T00:07:53Z

Gas Report - $202.03

🚀 [G-02] Unnecessary castings in `OverlayV1UniswapV3Market.fetchPricePoint()` - $74.28

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Vulnerability details

Impact

Tool Used

Recommended Mitigation Steps

🌟 [G-04] State variables can be `immutable`s - $33.42

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Vulnerability details

Impact

Proof of Concept

Tool Used

Recommended Mitigation Steps

#0 - mikeyrf2021-12-08T21:28:32Z

#1 - dmvt2021-12-20T20:46:56Z

[G-19] Require statements messages too long - $20.05

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Vulnerability details

Impact

Tool Used

Recommended Mitigation Steps

#0 - mikeyrf2021-12-07T15:28:58Z

Gas Report - $202.03

🚀 [G-02] Unnecessary castings in `OverlayV1UniswapV3Market.fetchPricePoint()` - $74.28

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Vulnerability details

Impact

Tool Used

Recommended Mitigation Steps

🌟 [G-04] State variables can be `immutable`s - $33.42

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Vulnerability details

Impact

Proof of Concept

Tool Used

#0 - mikeyrf
2021-12-07T00:07:53Z

#0 - mikeyrf
2021-12-08T21:28:32Z

#1 - dmvt
2021-12-20T20:46:56Z

#0 - mikeyrf
2021-12-07T15:28:58Z

#0 - mikeyrf
2021-12-08T21:28:32Z

#1 - dmvt
2021-12-20T20:46:56Z

#0 - mikeyrf
2021-12-07T15:28:58Z