Platform: Code4rena
Start Date: 17/02/2022
Pot Size: $75,000 USDC
Total HM: 7
Participants: 23
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 2
Id: 92
League: ETH
Rank: 13/23
Findings: 2
Award: $633.43
🌟 Selected for report: 0
🚀 Solo Findings: 0
518.6839 USDC - $518.68
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L72 Add validity or empty check before setting booster
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L93 Add validity or empty check before setting clerk
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L114 Add validity or empty check before setting authority
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L180
Below code can be optimized further // Prepare a users array to whitelist the Safe. address[] memory users = new address; users[0] = address(safe);
// Prepare an enabled array to whitelist the Safe. bool[] memory enabled = new bool[](1); enabled[0] = true;
All above can be replaced with address[1] memory users = [address(safe)];
// Prepare an enabled array to whitelist the Safe. bool[] memory enabled = [true];
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L168 Flawed logic
safe = new TurboSafe(msg.sender, defaultSafeAuthority, asset); safes.push(safe); unchecked { // Get the index/id of the new Safe. // Cannot underflow, we just pushed to it. id = safes.length - 1; } // Store the id/index of the new Safe. getSafeId[safe] = id;
In above code, when first safe is pushed to safes, safes.length will be 1. So id will 0. If TurBoSafe() creation fails, further logic will throw error. You can remove the unchcked block and replace with below getSafeId[safe] = safes.length - 1;
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L177 It's better to emit after all processing is done
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L323 It's better to emit after safeTransfer
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L197 emit FeiDeposited() event
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L317 Raise the event after token sweep is approved and completed
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L74 If not called internally, function should be declared external. The function deposit is not called inside the contract.
#0 - GalloDaSballo
2022-03-20T14:55:30Z
Report has plenty of small findings, formatting could have been done better, but ultimately does cover the basics. Well done by the warden
#1 - GalloDaSballo
2022-03-20T15:06:41Z
6/10
#2 - GalloDaSballo
2022-03-25T14:05:36Z
After re review I think 5/10 is more appropriate. I liked the optimization, everything else is the usual events and validation finding
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L177 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L212 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L177 Add zero check for feiAmount. It'll save gas fees
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L258 Add zero check for each of the amount fields. Only emit events or do further processing if the values are non zero. This will save a lot of gas fee.
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L314 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L336 Add zero check to amount to avoid gas fees
#0 - GalloDaSballo
2022-03-07T01:27:30Z
Honestly this report is very poorly presented, the warden could have spent the time to explain their thinking instead of spitting one liners with links.
Am going to give it a 0/10