Platform: Code4rena
Start Date: 10/03/2022
Pot Size: $75,000 USDT
Total HM: 25
Participants: 54
Period: 7 days
Judge: pauliax
Total Solo HM: 10
Id: 97
League: ETH
Rank: 39/54
Findings: 2
Award: $182.51
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hickuphh3
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, Dravee, IllIllI, PPrieditis, Ruhum, TerrierLover, WatchPug, XDms, benk10, berndartmueller, bitbopper, catchup, cmichel, cryptphi, csanuragjain, danb, defsec, gzeon, hagrid, hubble, jayjonah8, kenta, kyliek, minhquanym, rfa, robee, saian, samruna, throttle, ye0lde, z3s
122.3648 USDT - $122.36
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/ExecutorManager.sol#L10 The executorstatus map is not really helpful in any business logic. If the executor is present in executors array then the status is true or else false. Once the executor is added, it cannot be added again even though the status is set to FALSE.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/ExecutorManager.sol#L53 The function removeExecutor is just setting the status to false.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/ExecutorManager.sol#L55 Check if the executor is present and executorStatus is not already set to false.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/token/svg-helpers/SvgHelperBase.sol#L126 Both inpurt parameters are not used in the function. Remove these.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L169 https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L330 https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L333 https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityPool.sol#L107 https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityPool.sol#L113 https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityPool.sol#L123 If function is not called from inside the contract, better to make it external
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L211 NFTInfo storage nft = nftInfo[_nftId]; require(!nft.isStaked, "ERR__NFT_ALREADY_STAKED"); Move above code immidiately after the require(lpToken.isApprovedForAll...). If NFT is not approved, then no need to get token metadata
#0 - ankurdubey521
2022-03-10T15:17:27Z
Thanks a lot for bringing these up!
🌟 Selected for report: Dravee
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xNazgul, 0xngndev, 0xwags, Cantor_Dust, CertoraInc, IllIllI, Jujic, Kenshin, Kiep, PPrieditis, TerrierLover, Tomio, WatchPug, antonttc, benk10, berndartmueller, bitbopper, csanuragjain, defsec, gzeon, hagrid, hickuphh3, kenta, minhquanym, oyc_109, pedroais, peritoflores, rfa, robee, saian, samruna, sirhashalot, throttle, wuwe1, z3s
60.1477 USDT - $60.15
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/ExecutorManager.sol#L30 Consider adding require(!executorStatus[executorArray[i]], "Executor already registered"); in the for loop before calling addExecutor. This will make the transaction faster and will save some gas fees.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/ExecutorManager.sol#L55 Check if the executor is present and executorStatus is not already set to false. I can call the function in an infinity loop and it can block other transactions to executed while(i == 1){ executorManager.removeExecutor(address) }
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L99 Add zero check for rewardPerSecond. EVen though onlyOwner, it can create zero records and can exhust gas fees
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L170 Check if the baseToken is already added to rewardRateLog. Unless the business logic is to allow override, the emit will exhuast gas fees.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L182 Add zero check for amount. No point in transfering 0 amount. This will cost extra gas fees.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityPool.sol#L113 Add zero check before setting baseGas.
https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityPool.sol#L201 https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityPool.sol#L225 Add zero check. Although zero check if done in functions called further, having zero check at the begainning will definitly help save some gas
#0 - ankurdubey521
2022-03-10T15:03:12Z
Thanks a lot for bringing these up!
#1 - ankurdubey521
2022-03-10T16:18:59Z
Add zero check for rewardPerSecond. EVen though onlyOwner, it can create zero records and can exhust gas fees
I think setting zero rewards are a useful way to pause rewards temporarily if needed, what do you think?
#2 - ankurdubey521
2022-03-10T16:25:29Z
Check if the baseToken is already added to rewardRateLog. Unless the business logic is to allow override, the emit will exhuast gas fees.
The rewardRateLog will store multiple entires per baseToken, to maintain a history of all the updates that have been done to the reward rate. This is useful for calculating pending rewards if pool has been inactive for a long time.