AbraNFT contest - robee's results

Use safe math for solidity version <8

You should use safe math for solidity version <8 since there is no default over/under flow check it suchversions of solidity.

Code instances:

    The contract WETH9Mock.sol doesn't use safe math and is of solidity version < 8
    The contract RevertingERC20Mock.sol doesn't use safe math and is of solidity version < 8
    The contract NFTPairWithOracle.sol doesn't use safe math and is of solidity version < 8
    The contract FreelyMintableERC20Mock.sol doesn't use safe math and is of solidity version < 8
    The contract SimpleStrategyMock.sol doesn't use safe math and is of solidity version < 8

Not verified owner

    owner param should be validated to make sure the owner address is not address(0).
    Otherwise if not given the right input all only owner accessible functions will be unaccessible.
    
    

Code instances:

    ERC721Mock.sol.mint owner
    ReturnFalseERC20Mock.sol.permit owner

Named return issue

Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing. Furthermore, removing either the actual return or the named return will save gas.

Code instances:

    ReturnFalseERC20Mock.sol, transfer
    RevertingERC20Mock.sol, transfer
    RevertingERC20Mock.sol, transferFrom
    ReturnFalseERC20Mock.sol, approve
    RevertingERC20Mock.sol, approve

In the following public update functions no value is returned

In the following functions no value is returned, due to which by default value of return will be 0. We assumed that after the update you return the latest new value. (similar issue here: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/85).

Code instances:

    NFTPairWithOracle.sol, updateLoanParams
    NFTPair.sol, updateLoanParams

Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPair.sol#L532
    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPairWithOracle.sol#L336
    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/mocks/FreelyMintableERC20Mock.sol#L20
    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPairWithOracle.sol#L238
    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/mocks/RevertingERC20Mock.sol#L51

In the following public update functions no value is returned

In the following functions no value is returned, due to which by default value of return will be 0. We assumed that after the update you return the latest new value. (similar issue here: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/85).

Code instances:

    NFTPairWithOracle.sol, updateLoanParams
    NFTPair.sol, updateLoanParams

Add a timelock

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

Code instances:

    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPair.sol#L728
    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPairWithOracle.sol#L750

Two arrays length mismatch

The functions below fail to perform input validation on arrays to verify the lengths match. A mismatch could lead to an exception or undefined behavior. Consider making this a medium risk please.

Code instances

    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPairWithOracle.sol#L669 cook ['actions', 'values', 'datas']
    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPair.sol#L636 cook ['actions', 'values', 'datas']

Div by 0

Division by 0 can lead to accidentally revert, (An example of a similar issue - https://github.com/code-423n4/2021-10-defiprotocol-findings/issues/84)

Code instances:

    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPair.sol#L496 denom_k might be 0
    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPairWithOracle.sol#L529 denom_k might be 0

Tokens with fee on transfer are not supported

There are ERC20 tokens that charge fee for every transfer() / transferFrom().

Vault.sol#addValue() assumes that the received amount is the same as the transfer amount, and uses it to calculate attributions, balance amounts, etc. But, the actual transferred amount can be lower for those tokens. Therefore it's recommended to use the balance change before and after the transfer instead of the amount. This way you also support the tokens with transfer fee - that are popular.

Code instances:

    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPair.sol#L532
    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPairWithOracle.sol#L565

transfer return value of a general ERC20 is ignored

Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked (as there are some other tokens that returns false instead revert), that means you must

1. Check the transfer return value Another popular possibility is to add a whiteList. Those are the appearances (solidity file, line number, actual line):

Code instances:

    NFTPairWithOracle.sol, 295 (removeCollateral), collateral.transferFrom(address(this), to, tokenId);
    NFTPair.sol, 218 (_requestLoan), collateral.transferFrom(collateralProvider, address(this), tokenId);
    NFTPairWithOracle.sol, 573 (repay), collateral.transferFrom(address(this), loan.borrower, tokenId);
    NFTPair.sol, 540 (repay), collateral.transferFrom(address(this), loan.borrower, tokenId);
    NFTPair.sol, 266 (removeCollateral), collateral.transferFrom(address(this), to, tokenId);

Not verified input

external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    ReturnFalseERC20Mock.sol.approve spender
    LendingClubMock.sol.constructor _investor
    WETH9Mock.sol.approve guy
    RevertingERC20Mock.sol.transferFrom from
    RevertingERC20Mock.sol.transfer to

Solidity compiler versions mismatch

The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.

Code instance:

    totalSupply in ERC20Mock.sol

Unused state variables

Unused state variables are gas consuming at deployment (since they are located in storage) and are a bad code practice. Removing those variables will decrease deployment gas cost and improve code quality. This is a full list of all the unused storage variables we found in your code base.

Code instances:

    NFTPairWithOracle.sol, USE_VALUE2
    WETH9Mock.sol, decimals
    WETH9Mock.sol, symbol
    WETH9Mock.sol, name
    NFTPair.sol, USE_VALUE2

Unused declared local variables

Unused local variables are gas consuming, since the initial value assignment costs gas. And are a bad code practice. Removing those variables will decrease the gas cost and improve code quality. This is a full list of all the unused storage variables we found in your code base.

Code instances:

    NFTPairWithOracle.sol, _bentoDeposit, token
    NFTPair.sol, _bentoDeposit, token

Change transferFrom to transfer

'transferFrom(address(this), , **)' could be replaced by the following more gas efficient 'transfer(, **)' This replacement is more gas efficient and improves the code quality.

Code instances:

    NFTPair.sol, 266 : collateral.transferFrom(address(this), to, tokenId);
    NFTPairWithOracle.sol, 295 : collateral.transferFrom(address(this), to, tokenId);
    NFTPairWithOracle.sol, 573 : collateral.transferFrom(address(this), loan.borrower, tokenId);
    NFTPair.sol, 540 : collateral.transferFrom(address(this), loan.borrower, tokenId);

Caching array length can save gas

Caching the array length is more gas efficient. This is because access to a local variable in solidity is more efficient than query storage / calldata / memory. We recommend to change from:

for (uint256 i=0; i<array.length; i++) { ... }

to:

uint len = array.length  
for (uint256 i=0; i<len; i++) { ... }

Code instances:

    NFTPairWithOracle.sol, actions, 674
    NFTPair.sol, actions, 641

Prefix increments are cheaper than postfix increments

Prefix increments are cheaper than postfix increments. Further more, using unchecked {++x} is even more gas efficient, and the gas saving accumulates every iteration and can make a real change There is no risk of overflow caused by increamenting the iteration index in for loops (the ++i in for (uint256 i = 0; i < numIterations; ++i)). But increments perform overflow checks that are not necessary in this case. These functions use not using prefix increments (++x) or not using the unchecked keyword:

Code instances:

    change to prefix increment and unchecked: NFTPairWithOracle.sol, i, 674
    change to prefix increment and unchecked: NFTPairWithOracle.sol, k, 527
    change to prefix increment and unchecked: NFTPair.sol, k, 494
    change to prefix increment and unchecked: NFTPair.sol, i, 641

Unnecessary index init

In for loops you initialize the index to start from 0, but it already initialized to 0 in default and this assignment cost gas. It is more clear and gas efficient to declare without assigning 0 and will have the same meaning:

Code instances:

    NFTPair.sol, 641
    NFTPairWithOracle.sol, 674

Unnecessary default assignment

Unnecessary default assignments, you can just declare and it will save gas and have the same meaning.

Code instances:

    NFTPair.sol (L#96) : uint8 private constant LOAN_INITIAL = 0;
    NFTPairWithOracle.sol (L#113) : uint8 private constant LOAN_INITIAL = 0;

Rearrange state variables

You can change the order of the storage variables to decrease memory uses.

Code instances:

In NFTPair.sol,rearranging the storage fields can optimize to: 15 slots from: 17 slots. The new order of types (you choose the actual variables): 1. IBentoBoxV1 2. NFTPair 3. IERC721 4. IERC20 5. uint256 6. uint256 7. uint256 8. uint256 9. uint256 10. bytes32 11. bytes32 12. int256 13. int256 14. address 15. uint8 16. uint8 17. uint8 18. uint8 19. uint8 20. uint8 21. uint8 22. uint8 23. uint8 24. uint8 25. uint8 26. uint8 27. uint8 28. uint8 29. uint8 30. uint8

In NFTPairWithOracle.sol,rearranging the storage fields can optimize to: 15 slots from: 17 slots. The new order of types (you choose the actual variables): 1. IBentoBoxV1 2. NFTPairWithOracle 3. IERC721 4. IERC20 5. uint256 6. uint256 7. uint256 8. uint256 9. uint256 10. bytes32 11. bytes32 12. int256 13. int256 14. address 15. uint8 16. uint8 17. uint8 18. uint8 19. uint8 20. uint8 21. uint8 22. uint8 23. uint8 24. uint8 25. uint8 26. uint8 27. uint8 28. uint8 29. uint8 30. uint8

Use bytes32 instead of string to save gas whenever possible

Use bytes32 instead of string to save gas whenever possible.
String is a dynamic data structure and therefore is more gas consuming then bytes32.

Code instances:

    WETH9Mock.sol (L6), string public symbol = "WETH";
    WETH9Mock.sol (L5), string public name = "Wrapped Ether";

Use != 0 instead of > 0

Using != 0 is slightly cheaper than > 0. (see https://github.com/code-423n4/2021-12-maple-findings/issues/75 for similar issue)

Code instances:

    NFTPair.sol, 297: change 'balance > 0' to 'balance != 0'
    WETH9Mock.sol, 51: change 'balance > 0' to 'balance != 0'
    RevertingERC20Mock.sol, 44: change 'balance > 0' to 'balance != 0'
    RevertingERC20Mock.sol, 30: change 'balance > 0' to 'balance != 0'
    WETH9Mock.sol, 26: change 'balance > 0' to 'balance != 0'

Unnecessary cast

Code instances:

    int256 NFTPair.sol._num - unnecessary casting int256(inNum)
    uint256 SimpleStrategyMock.sol.withdraw - unnecessary casting uint256(amount)
    int256 NFTPairWithOracle.sol._num - unnecessary casting int256(inNum)

Use unchecked to save gas for certain additive calculations that cannot overflow

You can use unchecked in the following calculations since there is no risk to overflow:

Code instances:

    NFTPair.sol (L#511) - uint256(loan.startTime) + loanParams.duration > block.timestamp, "NFTPair: loan expired" ); 
    NFTPair.sol (L#258) - uint256(loan.startTime) + tokenLoanParams[tokenId].duration <= block.timestamp, "NFTPair: not expired" );
    NFTPairWithOracle.sol (L#544) - uint256(loan.startTime) + loanParams.duration > block.timestamp, "NFTPair: loan expired" ); 
    NFTPairWithOracle.sol (L#277) - if (uint256(loan.startTime) + tokenLoanParams[tokenId].duration > block.timestamp) {

Consider inline the following functions to save gas

You can inline the following functions instead of writing a specific function to save gas.
(see https://github.com/code-423n4/2021-11-nested-findings/issues/167 for a similar issue.)


    ERC721Mock.sol, _tokenURI, { return ""; }

Inline one time use functions

The following functions are used exactly once. Therefore you can inline them and save gas and improve code clearness.

Code instances:

    NFTPairWithOracle.sol, _call
    NFTPairWithOracle.sol, _bentoWithdraw
    NFTPair.sol, _bentoDeposit
    NFTPairWithOracle.sol, _bentoDeposit
    NFTPair.sol, _call

Change if -> revert pattern to require

Change if -> revert pattern to 'require' to save gas and improve code quality, if (some_condition) { revert(revert_message) }

to: require(!some_condition, revert_message)

In the following locations:

Code instances:

    NFTPairWithOracle.sol, 534
    NFTPair.sol, 501

Upgrade pragma to at least 0.8.4

Using newer compiler versions and the optimizer gives gas optimizations and additional safety checks are available for free.

The advantages of versions 0.8.* over <0.8.0 are:

    1. Safemath by default from 0.8.0 (can be more gas efficient than library based safemath.)
    2. Low level inliner : from 0.8.2, leads to cheaper runtime gas. Especially relevant when the contract has small functions. For example, OpenZeppelin libraries typically have a lot of small helper functions and if they are not inlined, they cost an additional 20 to 40 gas because of 2 extra jump instructions and additional stack operations needed for function calls.
    3. Optimizer improvements in packed structs: Before 0.8.3, storing packed structs, in some cases used an additional storage read operation. After EIP-2929, if the slot was already cold, this means unnecessary stack operations and extra deploy time costs. However, if the slot was already warm, this means additional cost of 100 gas alongside the same unnecessary stack operations and extra deploy time costs.
    4. Custom errors from 0.8.4, leads to cheaper deploy time cost and run time cost. Note: the run time cost is only relevant when the revert condition is met. In short, replace revert strings by custom errors.

Code instances:

    SimpleStrategyMock.sol
    NFTPairWithOracle.sol
    SushiSwapPairMock.sol
    ReturnFalseERC20Mock.sol
    ISwapperGeneric.sol

Do not cache msg.sender

We recommend not to cache msg.sender since calling it is 2 gas while reading a variable is more.

Code instances:

    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPairWithOracle.sol#L561
    https://github.com/code-423n4/2022-04-abranft/tree/main/contracts/NFTPair.sol#L528

Mult instead div in compares

To improve algorithm precision instead using division in comparison use multiplication in the following scenario:

    Instead a < b / c use a * c < b. 

In all of the big and trusted contracts this rule is maintained.

Code instances:

    NFTPairWithOracle.sol, 322, require(rate.mul(uint256(params.ltvBPS)) / BPS >= params.valuation, "Oracle: price too low.");
    NFTPairWithOracle.sol, 288, require(rate.mul(loanParams.ltvBPS) / BPS < amount, "NFT is still valued");

Missing fee parameter validation

Some fee parameters of functions are not checked for invalid values. Validate the parameters:

Code instances:

    NFTPairWithOracle.setFeeTo (newFeeTo)
    NFTPair.setFeeTo (newFeeTo)