Back to slywaters's contests

Notional x Index Coop - slywaters's results

A collaboration between Notional and Index Coop to create fixed rate yield index tokens.

General Information

Platform: Code4rena

Start Date: 07/06/2022

Pot Size: $75,000 USDC

Total HM: 11

Participants: 77

Period: 7 days

Judge: gzeon

Total Solo HM: 7

Id: 124

League: ETH

Notional

Findings Distribution

Researcher Performance

Rank: 35/77

Findings: 2

Award: $137.20

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNotional

Findings Information

🌟 Selected for report: berndartmueller

Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Bronicle, Chom, Cityscape, Deivitto, Funen, GimelSec, GreyArt, IllIllI, JC, Lambda, Meera, Nethermind, Picodes, PierrickGT, Ruhum, Sm4rty, Tadashi, TerrierLover, TomJ, Trumpero, Waze, _Adam, antonttc, ayeslick, c3phas, catchup, cccz, cloudjunky, cryptphi, csanuragjain, delfin454000, dipp, ellahi, fatherOfBlocks, hake, hansfriese, hyh, joestakey, jonah1005, kenzo, minhquanym, oyc_109, sach1r0, saian, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, z3s, zzzitron

Awards

88.1437 USDC - $88.14

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Low Severity Findings

OpenZeppelin's safeApprove() function is deprecated

Instead, the functions safeIncreaseAllowance and safeDecreaseAllowance whenever possible.

Deprecation Notice

The following lines of code should be updated to avoid using the deprecated function:

2022-06-notional-coop/notional-wrapped-fcash/contracts/wfCashBase.sol:68:        assetToken.safeApprove(address(NotionalV2), type(uint256).max);
2022-06-notional-coop/notional-wrapped-fcash/contracts/wfCashBase.sol:73:            underlyingToken.safeApprove(address(NotionalV2), type(uint256).max);

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xSolus, 0xf15ers, 0xkatana, 0xmint, 8olidity, Chom, Cityscape, DavidGialdi, Deivitto, ElKu, Fitraldys, Funen, GreyArt, Lambda, Meera, Picodes, PierrickGT, Sm4rty, Tadashi, TerrierLover, TomJ, Tomio, UnusualTurtle, Waze, _Adam, antonttc, asutorufos, berndartmueller, c3phas, catchup, csanuragjain, delfin454000, djxploit, ellahi, fatherOfBlocks, hake, hansfriese, hyh, joestakey, kaden, minhquanym, oyc_109, rfa, sach1r0, saian, samruna, simon135, slywaters, ynnad

Awards

49.0602 USDC - $49.06

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Gas Report

Variables do not need to be initialized with 'empty' values such as 0, false, or address(0)

Uninitialized variables by default contain a value equivalent to 0: uints are initialized to 0; bools to false; addresses to address(0).

Explicitly assigning these values to variables when they are declared increases gas costs while providing no funciton.

e.g. change this code:

uint256 var = 0;

to

uint256 var;

For more information, please consult the following resources:

Tips and Tricks to Save Gas and Reduce Bytecode Size

The following lines of code are affected:

2022-06-notional-coop/NotionalTradeModule.sol:238:        for(uint256 i = 0; i < modules.length; i++) {
2022-06-notional-coop/NotionalTradeModule.sol:254:        for(uint256 i = 0; i < modules.length; i++) {
2022-06-notional-coop/NotionalTradeModule.sol:393:        for(uint256 i = 0; i < positionsLength; i++) {
2022-06-notional-coop/NotionalTradeModule.sol:519:        uint32 minImpliedRate = 0;
2022-06-notional-coop/NotionalTradeModule.sol:605:        for(uint256 i = 0; i < positionsLength; i++) {
2022-06-notional-coop/NotionalTradeModule.sol:618:        for(uint256 i = 0; i < positionsLength; i++) {
2022-06-notional-coop/NotionalTradeModule.sol:48:    address internal constant ETH_ADDRESS = address(0);

Replace postfix increment (var++) with prefix increment (++var)

Using ++i costs less gas than using i++. In the context of a for-loop, gas is saved on each iteration.

The following lines of code are affected:

Replace postfix increment (var++) with prefix increment (++var)

2022-06-notional-coop/NotionalTradeModule.sol:238:        for(uint256 i = 0; i < modules.length; i++) {
2022-06-notional-coop/NotionalTradeModule.sol:254:        for(uint256 i = 0; i < modules.length; i++) {
2022-06-notional-coop/NotionalTradeModule.sol:393:        for(uint256 i = 0; i < positionsLength; i++) {
2022-06-notional-coop/NotionalTradeModule.sol:605:        for(uint256 i = 0; i < positionsLength; i++) {
2022-06-notional-coop/NotionalTradeModule.sol:610:                    numFCashPositions++;
2022-06-notional-coop/NotionalTradeModule.sol:618:        for(uint256 i = 0; i < positionsLength; i++) {
2022-06-notional-coop/NotionalTradeModule.sol:623:                    j++;

Replace strict greater-than-zero operation (> 0) with does-not-equal-zero (!= 0) operation

When checking whether a value is equal to zero, using the construction var != 0 is costs less gas than using var > 0. Note that this is true only when the comparison occurs in a conditional context and the Solidity compiler is using the Optimizer.

Alternatively, when using Solidity versions that are greather than or equal to the 0.8.13 release, contracts can be compile with the flag --via-ir. Doing so will eliminate the difference in gas costs discussed here.

For more information, please consult the following resources:

Twitter discussion detailing the gas costs of != 0 vs > 0 in require() calls

Solidity Compiler: Optimizer options

Compiler flag dicussion on Twitter

The following lines of code are affected:

2022-06-notional-coop/notional-wrapped-fcash/contracts/wfCashBase.sol:37:        require(cashGroup.maxMarketIndex > 0, "Invalid currency");
2022-06-notional-coop/notional-wrapped-fcash/contracts/wfCashERC4626.sol:23:        require(underlyingExternal > 0, "Must Settle");

Use strict less-than/greather-than comparisons rather than less-than-or-equal/greater-than-or-equal

When compiled, Solidity code using the >= or <= comparison operators in fact executes two separate checks: one for 'is-equal-to' and a second for 'is-greater-than/is-less-than'. By contrast, using > or < performs only one check. Therefore code that is written to use strict comparison operators is more gas-efficient.

If this change is applied, be sure to update the relevant variables being evaluated. For clarity, it is also advised to rename the variables to make this change explicit, e.g. renaming a variable from MINIMUM to MINIMUM_PLUS_ONE.

The following lines are affected:

2022-06-notional-coop/NotionalTradeModule.sol:449:        require(sentAmount <= _maxSendAmount, "Overspent");
2022-06-notional-coop/NotionalTradeModule.sol:485:        require(receivedAmount >= _minReceiveAmount, "Not enough received amount");
2022-06-notional-coop/notional-wrapped-fcash/contracts/wfCashBase.sol:89:        return getMaturity() <= block.timestamp;
2022-06-notional-coop/notional-wrapped-fcash/contracts/wfCashERC4626.sol:245:        require(int256(type(int88).min) <= y);
2022-06-notional-coop/notional-wrapped-fcash/contracts/wfCashERC4626.sol:42:        require(pvExternal >= 0);
2022-06-notional-coop/notional-wrapped-fcash/contracts/wfCashLogic.sol:316:        require(x <= uint256(type(uint88).max));

The following require() statements should be refactored:

Pragma statement should be at least 0.8.4

The pragma declaration allows for Solidity versions less than version 0.8.4. Several gas optimization features have been introduced in versions of Solidity between 0.8.0 and 0.8.4, including:

  • The "low-level inliner" (version 0.8.2)
  • Improvements to the optimizer (version 0.8.3)
  • Custom errors (version 0.8.4)

For more information consult the following resources:

The following pragma statements should be updated:

2022-06-notional-coop/notional-wrapped-fcash/contracts/wfCashERC4626.sol:2:pragma solidity ^0.8.0;
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter