robee - Streaming Protocol contest

Findings Information

🌟 Selected for report: WatchPug

Also found by: Jujic, cyberboy, defsec, pedroais, robee

Labels

bug

duplicate

G (Gas Optimization)

Awards

9.8622 USDC - $9.86

External Links

Link to GitHub issue

Handle

robee

Vulnerability details

The following functions could be set external to save gas and improve code quality. External call cost is less expensive than of public functions.

    The function setUp in demo.sol could be set external
    The function test_pass in demo.sol could be set external
    The function setAuthority in Auth.sol could be set external
    The function setOwner in Auth.sol could be set external
    The function setUserRole in RolesAuthority.sol could be set external
    The function doesRoleHaveCapability in RolesAuthority.sol could be set external
    The function setPublicCapability in RolesAuthority.sol could be set external
    The function setRootUser in RolesAuthority.sol could be set external
    The function doesUserHaveRole in RolesAuthority.sol could be set external
    The function setRoleCapability in RolesAuthority.sol could be set external
    The function canCall in RolesAuthority.sol could be set external
    The function canCall in TrustAuthority.sol could be set external
    The function setIsTrusted in Trust.sol could be set external
    The function testFailRejectingAuthority2 in Auth.t.sol could be set external
    The function invariantOwner in Auth.t.sol could be set external
    The function testAcceptingOwner in Auth.t.sol could be set external
    The function invariantAuthority in Auth.t.sol could be set external
    The function setUp in Auth.t.sol could be set external
    The function testFailNonOwner1 in Auth.t.sol could be set external
    The function testFailNonOwner2 in Auth.t.sol could be set external
    The function testFailRejectingAuthority1 in Auth.t.sol could be set external
    The function testFillLast12Bytes in Bytes32AddressLib.t.sol could be set external
    The function testFromLast20Bytes in Bytes32AddressLib.t.sol could be set external
    The function testFailDoubleDeployDifferentBytecode in CREATE3.t.sol could be set external
    The function testDeployERC20 in CREATE3.t.sol could be set external
    The function testFailDoubleDeploySameBytecode in CREATE3.t.sol could be set external
    The function burn in ERC20.t.sol could be set external
    The function transferFrom in ERC20.t.sol could be set external
    The function transfer in ERC20.t.sol could be set external
    The function mint in ERC20.t.sol could be set external
    The function approve in ERC20.t.sol could be set external
    The function testMin in FixedPointMathLib.t.sol could be set external
    The function testFailFDivOverflow in FixedPointMathLib.t.sol could be set external
    The function testFMulEdgeCases in FixedPointMathLib.t.sol could be set external
    The function testFailFDivZeroXY in FixedPointMathLib.t.sol could be set external
    The function testFailFDivXYB in FixedPointMathLib.t.sol could be set external
    The function testFailFMulOverflow in FixedPointMathLib.t.sol could be set external
    The function testFDiv in FixedPointMathLib.t.sol could be set external
    The function testFMul in FixedPointMathLib.t.sol could be set external
    The function testFPow in FixedPointMathLib.t.sol could be set external
    The function testFDivEdgeCases in FixedPointMathLib.t.sol could be set external
    The function testFailFDivYZero in FixedPointMathLib.t.sol could be set external
    The function testFailFDivZeroY in FixedPointMathLib.t.sol could be set external
    The function testMax in FixedPointMathLib.t.sol could be set external
    The function testSqrt in FixedPointMathLib.t.sol could be set external
    The function testFailUnprotectedCall in ReentrancyGuard.t.sol could be set external
    The function testNoReentrancy in ReentrancyGuard.t.sol could be set external
    The function setUp in ReentrancyGuard.t.sol could be set external
    The function invariantReentrancyStatusAlways1 in ReentrancyGuard.t.sol could be set external
    The function testProtectedCall in ReentrancyGuard.t.sol could be set external
    The function invariantOwner in RolesAuthority.t.sol could be set external
    The function testSanityChecks in RolesAuthority.t.sol could be set external
    The function invariantAuthority in RolesAuthority.t.sol could be set external
    The function testPublicCapabilities in RolesAuthority.t.sol could be set external
    The function setUp in RolesAuthority.t.sol could be set external
    The function testBasics in RolesAuthority.t.sol could be set external
    The function testRoot in RolesAuthority.t.sol could be set external
    The function testSafeCastTo64 in SafeCastLib.t.sol could be set external
    The function testFailSafeCastTo64 in SafeCastLib.t.sol could be set external
    The function testSafeCastTo224 in SafeCastLib.t.sol could be set external
    The function testFailSafeCastTo128 in SafeCastLib.t.sol could be set external
    The function testFailSafeCastTo224 in SafeCastLib.t.sol could be set external
    The function testSafeCastTo128 in SafeCastLib.t.sol could be set external
    The function testFailApproveWithPausable in SafeTransferLib.t.sol could be set external
    The function testTransferWithNonContract in SafeTransferLib.t.sol could be set external
    The function testFailApproveWithReturnsFalse in SafeTransferLib.t.sol could be set external
    The function testFailTransferWithPausable in SafeTransferLib.t.sol could be set external
    The function testFailTransferWithReturnsFalse in SafeTransferLib.t.sol could be set external
    The function testTransferFromWithTransferFromSelf in SafeTransferLib.t.sol could be set external
    The function testFailTransferFromWithReturnsFalse in SafeTransferLib.t.sol could be set external
    The function testTransferWithTransferFromSelf in SafeTransferLib.t.sol could be set external
    The function setUp in SafeTransferLib.t.sol could be set external
    The function testTransferFromWithNonContract in SafeTransferLib.t.sol could be set external
    The function testFailTransferETHToContractWithoutFallback in SafeTransferLib.t.sol could be set external
    The function testTransferETH in SafeTransferLib.t.sol could be set external
    The function testApproveWithNonContract in SafeTransferLib.t.sol could be set external
    The function testFailTransferFromWithPausable in SafeTransferLib.t.sol could be set external
    The function testApproveWithStandardERC20 in SafeTransferLib.t.sol could be set external
    The function testTransferWithMissingReturn in SafeTransferLib.t.sol could be set external
    The function testTransferFromWithStandardERC20 in SafeTransferLib.t.sol could be set external
    The function testApproveWithTransferFromSelf in SafeTransferLib.t.sol could be set external
    The function testTransferFromWithMissingReturn in SafeTransferLib.t.sol could be set external
    The function testTransferWithStandardERC20 in SafeTransferLib.t.sol could be set external
    The function testApproveWithMissingReturn in SafeTransferLib.t.sol could be set external
    The function testDistrust in Trust.t.sol could be set external
    The function testFailDistrustNotTrusted in Trust.t.sol could be set external
    The function testTrust in Trust.t.sol could be set external
    The function setUp in Trust.t.sol could be set external
    The function testFailTrustNotTrusted in Trust.t.sol could be set external
    The function invariantOwner in TrustAuthority.t.sol could be set external
    The function testSanityChecks in TrustAuthority.t.sol could be set external
    The function invariantAuthority in TrustAuthority.t.sol could be set external
    The function setUp in TrustAuthority.t.sol could be set external
    The function testUpdateTrust in TrustAuthority.t.sol could be set external
    The function targetContracts in DSInvariantTest.sol could be set external
    The function updateFlag in MockAuthChild.sol could be set external
    The function mint in MockERC20.sol could be set external
    The function burn in MockERC20.sol could be set external
    The function updateFlag in MockTrustChild.sol could be set external
    The function permit in ERC20User.sol could be set external
    The function transferFrom in ERC20User.sol could be set external
    The function approve in ERC20User.sol could be set external
    The function transfer in ERC20User.sol could be set external
    The function call in GenericUser.sol could be set external
    The function tryCall in GenericUser.sol could be set external
    The function permit in ERC20.sol could be set external
    The function DOMAIN_SEPARATOR in ERC20.sol could be set external
    The function transferFrom in ERC20.sol could be set external
    The function transfer in ERC20.sol could be set external
    The function approve in ERC20.sol could be set external
    The function deposit in WETH.sol could be set external
    The function permit in LockeERC20.sol could be set external
    The function DOMAIN_SEPARATOR in LockeERC20.sol could be set external
    The function transferFrom in LockeERC20.sol could be set external
    The function transfer in LockeERC20.sol could be set external
    The function approve in LockeERC20.sol could be set external
    The function test_createStream in Locke.t.sol could be set external
    The function test_updateFeeParams in Locke.t.sol could be set external
    The function test_updateStreamParams in Locke.t.sol could be set external
    The function write_flat in HEVMHelpers.sol could be set external
    The function addKnownHEVM in HEVMHelpers.sol could be set external
    The function write_map in HEVMHelpers.sol could be set external
    The function sigs in HEVMHelpers.sol could be set external
    The function write_deep_map_struct in HEVMHelpers.sol could be set external
    The function find in HEVMHelpers.sol could be set external
    The function write_deep_map in HEVMHelpers.sol could be set external
    The function writ in HEVMHelpers.sol could be set external
    The function flatten in HEVMHelpers.sol could be set external
    The function write_balanceOf_ts in HEVMTokenExtension.sol could be set external
    The function write_balanceOfUnderlying in HEVMTokenExtension.sol could be set external
    The function write_balanceOf in HEVMTokenExtension.sol could be set external
    The function write_last_checkpoint in HEVMTokenExtension.sol could be set external
    The function write_checkpoint in HEVMTokenExtension.sol could be set external
    The function createDefaultStream in LockeTest.sol could be set external
    The function setUp in LockeTest.sol could be set external
    The function constructor in TestToken.sol could be set external

THIS WILL SAVE YOU TONS OF GAS!!!!! :)

#0 - 0xean
2022-01-16T14:26:53Z

dupe of #260

Findings Information

🌟 Selected for report: WatchPug

Also found by: pauliax, pedroais, robee

Labels

bug

duplicate

G (Gas Optimization)

sponsor disputed

Awards

18.2633 USDC - $18.26

External Links

Link to GitHub issue

Handle

robee

Vulnerability details

In the following files there are state variables that could be set immutable to save gas. The list of format <solidity file>, <state variable name that could be immutable>: There are some variables that I was not sure if are assigned actually twice in real use. I added them anyway.

    test.sol, IS_TEST
    test.sol, failed
    RolesAuthority.sol, isUserRoot
    RolesAuthority.sol, getUserRoles
    RolesAuthority.sol, getRoleCapabilities
    RolesAuthority.sol, isCapabilityPublic
    Trust.sol, isTrusted
    Auth.t.sol, mockAuthChild
    ReentrancyGuard.t.sol, riskyContract
    RolesAuthority.t.sol, roles
    RolesAuthority.t.sol, mockAuthChild
    SafeTransferLib.t.sol, returnsFalse
    SafeTransferLib.t.sol, missingReturn
    SafeTransferLib.t.sol, transferFromSelf
    SafeTransferLib.t.sol, pausable
    SafeTransferLib.t.sol, erc20
    Trust.t.sol, mockTrustChild
    TrustAuthority.t.sol, trust
    TrustAuthority.t.sol, mockAuthChild
    DSInvariantTest.sol, targets
    DSTestPlus.sol, checkpointLabel
    DSTestPlus.sol, checkpointGasLeft
    MockAuthChild.sol, flag
    MockTrustChild.sol, flag
    ERC20User.sol, token
    ERC20.sol, name
    ERC20.sol, symbol
    ERC20.sol, decimals
    ERC20.sol, balanceOf
    ERC20.sol, allowance
    ERC20.sol, INITIAL_CHAIN_ID
    ERC20.sol, INITIAL_DOMAIN_SEPARATOR
    ERC20.sol, nonces
    LockeERC20.sol, name
    LockeERC20.sol, symbol
    LockeERC20.sol, decimals
    LockeERC20.sol, transferStartTime
    LockeERC20.sol, balanceOf
    LockeERC20.sol, allowance
    LockeERC20.sol, INITIAL_CHAIN_ID
    LockeERC20.sol, INITIAL_DOMAIN_SEPARATOR
    LockeERC20.sol, nonces
    HEVMState.sol, hevm
    HEVMState.sol, me
    HEVMState.sol, slots
    HEVMState.sol, finds
    LockeTest.sol, defaultStreamFactory
    LockeTest.sol, alice
    LockeTest.sol, bob

#0 - brockelmore
2021-11-30T18:07:23Z

Your automated tool has false positives here. INITIAL_DOMAIN_SEPARATOR & INITIAL_CHAIN_ID are already immutable. Also, just because some things can be made immutable, doesn't mean they should. Primarily for bytecode size limits. Name and symbol in any erc20 are some such examples. Most of these are test files or unused anyway

#1 - 0xean
2022-01-17T12:08:46Z

dupe of #231

Findings Information

🌟 Selected for report: robee

Labels

bug

G (Gas Optimization)

Awards

100.2104 USDC - $100.21

External Links

Link to GitHub issue

Handle

robee

Vulnerability details

The following functions could be set private to save gas and improve code quality: The function assertGtDecimal in test.sol could be set internal The function checkEq0 in test.sol could be set internal The function assertGeDecimal in test.sol could be set internal The function assertEqDecimal in test.sol could be set internal The function assertGt in test.sol could be set internal The function assertEq in test.sol could be set internal The function assertLt in test.sol could be set internal The function assertLe in test.sol could be set internal The function assertLeDecimal in test.sol could be set internal The function assertEq0 in test.sol could be set internal The function assertLtDecimal in test.sol could be set internal The function assertTrue in test.sol could be set internal The function assertGe in test.sol could be set internal The function assertEq32 in test.sol could be set internal The function fail in test.sol could be set internal The function isAuthorized in Auth.sol could be set internal The function verifySafeTransfer in SafeTransferLib.t.sol could be set internal The function forceApprove in SafeTransferLib.t.sol could be set internal The function verifySafeTransferFrom in SafeTransferLib.t.sol could be set internal The function verifySafeApprove in SafeTransferLib.t.sol could be set internal The function forceTrust in Trust.t.sol could be set internal The function forceTrust in TrustAuthority.t.sol could be set internal The function addTargetContract in DSInvariantTest.sol could be set internal The function startMeasuringGas in DSTestPlus.sol could be set internal The function stopMeasuringGas in DSTestPlus.sol could be set internal The function assertBytesEq in DSTestPlus.sol could be set internal The function assertUint64Eq in DSTestPlus.sol could be set internal The function assertUint96Eq in DSTestPlus.sol could be set internal The function assertUint32Eq in DSTestPlus.sol could be set internal The function fail in DSTestPlus.sol could be set internal The function assertUint128Eq in DSTestPlus.sol could be set internal The function assertFalse in DSTestPlus.sol could be set internal The function _burn in ERC20.sol could be set internal The function _mint in ERC20.sol could be set internal The function fromLast20Bytes in Bytes32AddressLib.sol could be set internal The function fillLast12Bytes in Bytes32AddressLib.sol could be set internal The function deploy in CREATE3.sol could be set internal The function fmul in FixedPointMathLib.sol could be set internal The function sqrt in FixedPointMathLib.sol could be set internal The function max in FixedPointMathLib.sol could be set internal The function fpow in FixedPointMathLib.sol could be set internal The function min in FixedPointMathLib.sol could be set internal The function fdiv in FixedPointMathLib.sol could be set internal The function safeCastTo64 in SafeCastLib.sol could be set internal The function safeCastTo224 in SafeCastLib.sol could be set internal The function safeCastTo128 in SafeCastLib.sol could be set internal The function read in SSTORE2.sol could be set internal The function write in SSTORE2.sol could be set internal The function toString in LockeERC20.sol could be set internal The function _burn in LockeERC20.sol could be set internal The function _mint in LockeERC20.sol could be set internal

Streaming Protocol contest - robee's results

General Information

Findings Distribution

Researcher Performance

External Links

QA Report - $296.87

Gas Report - $128.33

QA Report - $296.87

Gas Report - $128.33

[L-21] Solidity compiler versions mismatch - $79.30

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

#0 - brockelmore2021-11-30T17:50:31Z

#1 - brockelmore2021-12-06T17:03:56Z

[G-02] Public functions to external - $9.86

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

#0 - 0xean2022-01-16T14:26:53Z

[G-25] State variables that could be set immutable - $18.26

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

#0 - brockelmore2021-11-30T18:07:23Z

#1 - 0xean2022-01-17T12:08:46Z

🚀 [G-50] Internal functions to private - $100.21

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

[L-12] Open TODOs - $217.57

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

#0 - brockelmore2021-11-30T17:51:35Z

#1 - 0xean2022-01-16T13:34:40Z

#0 - brockelmore
2021-11-30T17:50:31Z

#1 - brockelmore
2021-12-06T17:03:56Z

#0 - 0xean
2022-01-16T14:26:53Z

#0 - brockelmore
2021-11-30T18:07:23Z

#1 - 0xean
2022-01-17T12:08:46Z

#0 - brockelmore
2021-11-30T17:51:35Z

#1 - 0xean
2022-01-16T13:34:40Z