Back to samruna's contests

Foundation Drop contest - samruna's results

Foundation is a web3 destination.

General Information

Platform: Code4rena

Start Date: 11/08/2022

Pot Size: $40,000 USDC

Total HM: 8

Participants: 108

Period: 4 days

Judge: hickuphh3

Total Solo HM: 2

Id: 152

League: ETH

Foundation

Findings Distribution

Researcher Performance

Rank: 94/108

Findings: 1

Award: $20.60

馃専 Selected for report: 0

馃殌 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFoundation

Findings Information

馃専 Selected for report: Dravee

Also found by: 0x040, 0x1f8b, 0xDjango, 0xHarry, 0xNazgul, 0xSmartContract, 0xbepresent, 0xkatana, Amithuddar, Aymen0909, Bnke0x0, Chom, CodingNameKiki, Deivitto, DevABDee, Diraco, ElKu, Fitraldys, Funen, IllIllI, JC, LeoS, Metatron, MiloTruck, Noah3o6, ReyAdmirado, Rohan16, Rolezn, Saw-mon_and_Natalie, Sm4rty, SpaceCake, TomJ, Tomio, Trabajo_de_mates, Waze, Yiko, __141345__, ajtra, apostle0x01, bobirichman, brgltd, bulej93, c3phas, cRat1st0s, carlitox477, d3e4, durianSausage, erictee, fatherOfBlocks, gerdusx, gogo, hakerbaya, ignacio, jag, joestakey, ladboy233, medikko, mics, newfork01, oyc_109, pfapostol, robee, rvierdiiev, sach1r0, saian, samruna, sikorico, simon135, wagmi, zeesaw, zkhorse, zuhaibmohd

Awards

20.6 USDC - $20.60

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Gas

1. Use of custom errors

Starting from Solidity v0.8.4, there is a convenient and gas-efficient way to explain to users why an operation failed through the use of custom errors. Until now, you could already use strings to give more information about failures (e.g., revert("Insufficient funds.");), but they are rather expensive, especially when it comes to deploy cost, and it is difficult to use dynamic information in them.

Code references where this can be replaced:

https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L158 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L263-268 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L327 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L173 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L182 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L203 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L227 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L262 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L88 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L93 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L130-131 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L172-179 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L238 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L301

Mitigation:

Change require(a != b,"ERROR") to if (a != b) revert ERROR()

2. Use bytes32 instead of string

String is a dynamic data structure and therefore is more gas consuming then bytes32.

Code reference where this can changed:

https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L48 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L53 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L70 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L107-108 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L129 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L142 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L154 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L175 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L193 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L216 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L238 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L262 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L282 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L291 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L326 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L332 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L137-138 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L162-164 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L258-259 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L287-289 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L325-327 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L364-366 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L387-389 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L64 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L122-124

3. Use of != 0 instead of > 0

!=0 comparison is cheaper than >0.

Code reference where this can be changed:

https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L88 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L130

4. Use short error messages

You can (and should) attach error reason strings along with require/revert statements to make it easier to understand why a contract call reverted. These strings, however, take space in the deployed bytecode. Every reason string takes at least 32 bytes so make sure your string fits in 32 bytes or it will become more expensive.

Shortening revert strings to fit in 32 bytes will decrease deployment time gas and will decrease runtime gas when the revert condition is met. Revert strings that are longer than 32 bytes require at least one additional mstore, along with additional overhead for computing memory offset, etc.

Code where the strings be shortened:

https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L327 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L173 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L182 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L203 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L227 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L267 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L88 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L93 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L130-131 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L172 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L179 https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L238

#0 - HardlyDifficult

2022-08-17T08:00:31Z

  1. Use of custom errors

Agree but won't fix at this time. We use these in the market but not in collections. Unfortunately custom errors are still not as good of an experience for users (e.g. on etherscan). We used them in the market originally because we were nearing the max contract size limit and this was a good way to reduce the bytecode. We'll consider this in the future as tooling continues to improve.

  1. Use bytes32 instead of string

Invalid. I didn't check every link provided, but spot checked a bunch and many are referencing the baseURI. This string cannot be stored in bytes32 because it may be longer than 32 bytes.

  1. Use of != 0 instead of > 0

Invalid. We tested the recommendation and got the following results:

createNFTDropCollection gas reporter results:
  using > 0 (current):
    - 319246  路     319578  路      319361
  using != 0 (recommendation):
    -  319252  路     319584  路      319367
  impact: +6 gas
  1. Use short error messages

Agree but won't fix. We use up to 64 bytes, aiming to respect the incremental cost but 32 bytes is a bit too short to provide descriptive error messages for our users.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax 漏 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter