Fraxlend (Frax Finance) contest - robee's results

approve return value is ignored

Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert. Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value. We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens. The list of occurrences in format (solidity file, line number, actual line)

Code instances:

FraxlendPairCore.sol, 1102, _assetContract.approve(_swapperAddress, _borrowAmount);

FraxlendPairCore.sol, 1183, _collateralContract.approve(_swapperAddress, _collateralToSwap);

Unbounded loop on array can lead to DoS

The attacker can push unlimitedly to an array, that some function loop over this array. If increasing the array size enough, calling the function that does a loop over the array will always revert since there is a gas limit. This is an High Risk issue since those arrays are publicly allows to push items into them.

Code instance:

    FraxlendPairDeployer.sol (L123): Unbounded loop on the array deployedPairsArray that can be publicly pushed by ['deploy', 'deployCustom']

Mult instead div in compares

To improve algorithm precision instead using division in comparison use multiplication in the following scenario:

    Instead a < b / c use a * c < b. 

In all of the big and trusted contracts this rule is maintained.

Code instances:

    VaultAccount.sol, 42, if (roundUp && (amount * total.shares) / total.amount < shares) {
    VaultAccount.sol, 25, if (roundUp && (shares * total.amount) / total.shares < amount) {

Missing fee parameter validation

Some fee parameters of functions are not checked for invalid values. Validate the parameters:

Code instances:

    FraxlendPairDeployer.deployCustom (_liquidationFee)
    FraxlendPairDeployer._deployFirst (_liquidationFee)
    FraxlendPair.constructor (_liquidationFee)
    FraxlendPair.changeFee (_newFee)
    FraxlendPairDeployer._logDeploy (_liquidationFee)
    FraxlendPairCore.constructor (_liquidationFee)

safeApprove of openZeppelin is deprecated

You use safeApprove of openZeppelin although it's deprecated. (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38) You should change it to increase/decrease Allowance as OpenZeppilin says.

Code instances:

    Deprecated safeApprove in FraxlendPairCore.sol line 1102: _assetContract.approve(_swapperAddress, _borrowAmount);
    Deprecated safeApprove in FraxlendPairCore.sol line 1183: _collateralContract.approve(_swapperAddress, _collateralToSwap);

Not verified input

external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    FraxlendPairCore.sol.repayAsset _borrower
    FraxlendPairCore.sol.repayAssetWithCollateral _swapperAddress
    FraxlendPair.sol.withdrawFees _recipient
    FraxlendPairCore.sol.mint _receiver
    FraxlendPairCore.sol.redeem _receiver

Not verified owner

    owner param should be validated to make sure the owner address is not address(0).
    Otherwise if not given the right input all only owner accessible functions will be unaccessible.
    
    

Code instances:

    FraxlendPairCore.sol.withdraw _owner
    FraxlendPairCore.sol.redeem _owner

Named return issue

Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing. Furthermore, removing either the actual return or the named return will save gas.

Code instances:

    FraxlendPairCore.sol, _updateExchangeRate
    FraxlendPairDeployer.sol, _deployFirst
    FraxlendPairCore.sol, _addInterest
    VariableInterestRate.sol, getConstants
    FraxlendPairCore.sol, addInterest
    LinearInterestRate.sol, getConstants

Two Steps Verification before Transferring Ownership

The following contracts have a function that allows them an admin to change it to a different address. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked. It is important to have two steps admin change where the first is announcing a pending new admin and the new address should then claim its ownership. A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105

Code instances:

    IFraxlendWhitelist.sol
    IFraxlendPair.sol

Missing non reentrancy modifier

The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer. Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..

Code instance:

    FraxlendPairCore.sol, initialize is missing a reentrancy modifier

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    VariableInterestRate.sol: function requireValidInitData parameter _initData isn't used. (requireValidInitData is external)
    VariableInterestRate.sol: function getNewRate parameter _initData isn't used. (getNewRate is external)

Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/2022-08-frax/tree/main/src/contracts/FraxlendPairCore.sol#L574
    https://github.com/code-423n4/2022-08-frax/tree/main/src/contracts/FraxlendPairCore.sol#L728
    https://github.com/code-423n4/2022-08-frax/tree/main/src/contracts/FraxlendPairCore.sol#L819
    https://github.com/code-423n4/2022-08-frax/tree/main/src/contracts/FraxlendPairCore.sol#L777
    https://github.com/code-423n4/2022-08-frax/tree/main/src/contracts/FraxlendPairCore.sol#L651

Missing commenting

    The following functions are missing commenting as describe below:
    

Code instances:

    FraxlendPairDeployer.sol, _deployFirst (private), parameters _saltSeed, _immutables, _penaltyRate not commented
    FraxlendPairDeployer.sol, deployCustom (external), parameter _penaltyRate not commented
    VariableInterestRate.sol, requireValidInitData (external), parameter _initData not commented

Add a timelock

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

Code instances:

    https://github.com/code-423n4/2022-08-frax/tree/main/src/contracts/FraxlendPair.sol#L204
    https://github.com/code-423n4/2022-08-frax/tree/main/src/contracts/FraxlendPairDeployer.sol#L170
    https://github.com/code-423n4/2022-08-frax/tree/main/src/contracts/FraxlendWhitelist.sol#L65
    https://github.com/code-423n4/2022-08-frax/tree/main/src/contracts/FraxlendPair.sol#L288

Unnecessary equals boolean

Boolean variables can be checked within conditionals directly without the use of equality operators to true/false.

Code instances:

    FraxlendPair.sol, 290: // Do not set when _approval == false and _lender == msg.sender
    FraxlendPairCore.sol, 310: if (_borrowerAmount == 0) return true;
    FraxlendPair.sol, 309: // Do not set when _approval == false and _borrower == msg.sender
    FraxlendPairCore.sol, 312: if (_collateralAmount == 0) return false;
    FraxlendPairCore.sol, 308: if (maxLTV == 0) return true;

Unused state variables

Unused state variables are gas consuming at deployment (since they are located in storage) and are a bad code practice. Removing those variables will decrease deployment gas cost and improve code quality. This is a full list of all the unused storage variables we found in your code base.

Code instances:

    FraxlendPairConstants.sol, UTIL_PREC
    FraxlendPairConstants.sol, FRAXSWAP_ROUTER_ADDRESS
    FraxlendPairConstants.sol, DEFAULT_INT
    FraxlendPairConstants.sol, LTV_PRECISION
    FraxlendPairConstants.sol, LIQ_PRECISION
    FraxlendPairConstants.sol, MAX_PROTOCOL_FEE
    FraxlendPairConstants.sol, DEFAULT_PROTOCOL_FEE
    FraxlendPairConstants.sol, EXCHANGE_PRECISION
    FraxlendPairConstants.sol, FEE_PRECISION

Caching array length can save gas

Caching the array length is more gas efficient. This is because access to a local variable in solidity is more efficient than query storage / calldata / memory. We recommend to change from:

for (uint256 i=0; i<array.length; i++) { ... }

to:

uint len = array.length  
for (uint256 i=0; i<len; i++) { ... }

Code instances:

    FraxlendWhitelist.sol, _addresses, 51
    FraxlendPairCore.sol, _approvedLenders, 270
    FraxlendWhitelist.sol, _addresses, 81
    FraxlendWhitelist.sol, _addresses, 66
    FraxlendPairCore.sol, _approvedBorrowers, 265
    FraxlendPair.sol, _borrowers, 308
    FraxlendPair.sol, _lenders, 289

Prefix increments are cheaper than postfix increments

Prefix increments are cheaper than postfix increments. Further more, using unchecked {++x} is even more gas efficient, and the gas saving accumulates every iteration and can make a real change There is no risk of overflow caused by increamenting the iteration index in for loops (the ++i in for (uint256 i = 0; i < numIterations; ++i)). But increments perform overflow checks that are not necessary in this case. These functions use not using prefix increments (++x) or not using the unchecked keyword:

Code instances:

    change to prefix increment and unchecked: FraxlendPair.sol, i, 289
    just change to unchecked: FraxlendPairCore.sol, i, 265
    change to prefix increment and unchecked: FraxlendPair.sol, i, 308
    change to prefix increment and unchecked: FraxlendWhitelist.sol, i, 51
    change to prefix increment and unchecked: FraxlendWhitelist.sol, i, 81
    just change to unchecked: FraxlendPairCore.sol, i, 270
    change to prefix increment and unchecked: FraxlendWhitelist.sol, i, 66

Unnecessary index init

In for loops you initialize the index to start from 0, but it already initialized to 0 in default and this assignment cost gas. It is more clear and gas efficient to declare without assigning 0 and will have the same meaning:

Code instances:

    FraxlendPairCore.sol, 265
    FraxlendPair.sol, 308
    FraxlendWhitelist.sol, 51
    FraxlendWhitelist.sol, 81
    FraxlendPairDeployer.sol, 402
    FraxlendPair.sol, 289
    FraxlendPairCore.sol, 270
    FraxlendWhitelist.sol, 66

Storage double reading. Could save SLOAD

Reading a storage variable is gas costly (SLOAD). In cases of multiple read of a storage variable in the same scope, caching the first read (i.e saving as a local variable) can save gas and decrease the overall gas uses. The following is a list of functions and the storage variables that you read twice:

Code instance:

    VariableInterestRate.sol: INT_HALF_LIFE is read twice in getNewRate

Unnecessary default assignment

Unnecessary default assignments, you can just declare and it will save gas and have the same meaning.

Code instances:

    LinearInterestRate.sol (L#33) : uint256 private constant MIN_INT = 0;
    FraxlendPairConstants.sol (L#47) : uint16 internal constant DEFAULT_PROTOCOL_FEE = 0;

Rearrange state variables

You can change the order of the storage variables to decrease memory uses.

Code instance:

In FraxlendPairCore.sol,rearranging the storage fields can optimize to: 24 slots from: 25 slots. The new order of types (you choose the actual variables): 1. string 2. IERC20 3. IERC20 4. uint256 5. uint256 6. uint256 7. uint256 8. IRateCalculator 9. bytes 10. string 11. uint256 12. uint256 13. CurrentRateInfo 14. ExchangeRateInfo 15. VaultAccount 16. VaultAccount 17. uint256 18. address 19. bool 20. bool 21. address 22. address 23. address 24. address 25. address 26. address

Use bytes32 instead of string to save gas whenever possible

Use bytes32 instead of string to save gas whenever possible.
String is a dynamic data structure and therefore is more gas consuming then bytes32.

Code instances:

    FraxlendPairCore.sol (L51), string public version = "1.0.0"; 
    FraxlendPairDeployer.sol (L315), string memory _name = string( abi.encodePacked( "FraxlendV1 - ", IERC20(_collateral).safeName(), "/", IERC20(_asset).safeName(), " - ", IRateCalculator(_rateContract).name(), " - ", (deployedPairsArray.length + 1).toString() ) ); 

Use != 0 instead of > 0

Using != 0 is slightly cheaper than > 0. (see https://github.com/code-423n4/2021-12-maple-findings/issues/75 for similar issue)

Code instances:

    FraxlendPair.sol, 256: change 'balance > 0' to 'balance != 0'
    FraxlendPairCore.sol, 1094: change '_initialCollateralAmount > 0' to '_initialCollateralAmount != 0'
    FraxlendPairCore.sol, 754: change '_collateralAmount > 0' to '_collateralAmount != 0'

Consider inline the following functions to save gas

You can inline the following functions instead of writing a specific function to save gas.
(see https://github.com/code-423n4/2021-11-nested-findings/issues/167 for a similar issue.)

Code instances

    FraxlendPairCore.sol, _totalAssetAvailable, { return _totalAsset.amount - _totalBorrow.amount; }
    FraxlendPairHelper.sol, _isPastMaturity, { return _maturityDate != 0 && _timestamp > _maturityDate; }
    FraxlendPairCore.sol, _isPastMaturity, { return maturityDate != 0 && block.timestamp > maturityDate; }

Inline one time use functions

The following functions are used exactly once. Therefore you can inline them and save gas and improve code clearness.

Code instances:

    FraxlendPairHelper.sol, _isPastMaturity
    SafeERC20.sol, safeTransferFrom
    SafeERC20.sol, safeTransfer

Do not cache msg.sender

We recommend not to cache msg.sender since calling it is 2 gas while reading a variable is more.

Code instance:

    https://github.com/code-423n4/2022-08-frax/tree/main/src/contracts/FraxlendPairCore.sol#L168