Back to sorrynotsorry's contests

Mimo DeFi contest - sorrynotsorry's results

Bridging the chasm between the DeFi world and the world of regulated financial institutions.

General Information

Platform: Code4rena

Start Date: 28/04/2022

Pot Size: $50,000 USDC

Total HM: 7

Participants: 43

Period: 5 days

Judge: gzeon

Total Solo HM: 2

Id: 115

League: ETH

Mimo DeFi

Findings Distribution

Researcher Performance

Rank: 19/43

Findings: 2

Award: $164.00

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMimo DeFi

Findings Information

🌟 Selected for report: Dravee

Also found by: 0x1f8b, 0x4non, 0x52, 0xDjango, AlleyCat, Funen, GalloDaSballo, GimelSec, Hawkeye, MaratCerby, Picodes, berndartmueller, cccz, defsec, delfin454000, dipp, hyh, ilan, joestakey, kebabsec, luduvigo, pauliax, peritoflores, robee, rotcivegaf, samruna, shenwilly, sikorico, simon135, sorrynotsorry, unforgiven, z3s

Awards

104.9405 USDC - $104.94

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

QA (LOW RISK - NON-CRITICAL)

  • Different solidity compiler versions used. This leads to potential security flaws between deployed contracts depending on the compiler version chosen for any particular file. It also greatly increases the cost of maintenance as different compiler versions have different semantics and behavior.

  • In BalancerV2LPOracle.sol, latestRoundData() method is used, but there is no check if the return value indicates stale data.

  • The require statements in AddressProvider.sol, VaultsCore.sol , ABDKMath64x64.sol don't throw error messages on revert. When transactions revert, the users won't receive error messages indicating the cause of the failure.

  • transfer method is used inside the codebase. Since transfer method uses 2300 gas stipend which is not adjustable,it may likely to get broken in future in case of hardforks causing gas price changes or when calling a contract's fallback function. Reference Link -1, Reference Link -2

  • block.timestamp is used on many places at the scoped contracts. Hoewever, this can be manipulated by malicious miners. Reference

Findings Information

🌟 Selected for report: Dravee

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xkatana, Funen, GimelSec, MaratCerby, Picodes, Tadashi, Tomio, defsec, delfin454000, joestakey, kebabsec, oyc_109, pauliax, robee, rotcivegaf, samruna, slywaters, sorrynotsorry, ych18, z3s

Awards

59.0559 USDC - $59.06

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

GAS OPTIMIZATIONS

  • Using immutable instead of constant variables will save gas.

  • Caching .length inside loop functions will save gas, located at: FeeDistributor.sol#L47-69-75 ,GovernorAlpha.sol#L114-128-148

  • At AdminInceptionVault.sol:108 storage variable is directly used in looping. It can be cached to memory priorly.

  • Using bytes32 instead of string to save gas whenever possible. String is a dynamic data structure and therefore is more gas consuming then bytes32. Team can use bytes32 instead of string in the following places: BalancerV2LPOracle.sol:17-29 , GUniLPOracle.sol:15-30

  • Changing the abi.encode function to abi.encodePacked at SuperVault.sol#L130-131-178-179-226-227 can save gas since the abi.encode function pads extra null bytes at the end of the call data, which is unnecessary. Also, in general, abi.encodePackedis more gas-efficient.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter