Platform: Code4rena
Start Date: 16/11/2021
Pot Size: $50,000 ETH
Total HM: 11
Participants: 17
Period: 7 days
Judge: LSDan
Total Solo HM: 8
Id: 49
League: ETH
Rank: 10/17
Findings: 2
Award: $1,087.70
🌟 Selected for report: 3
🚀 Solo Findings: 0
🌟 Selected for report: pauliax
Also found by: Meta0xNull, pants, ye0lde
ye0lde
Open TODOs can point to architecture or programming issues that still need to be resolved.
The TODOs are here: https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/collateral/OverlayV1OVLCollateral.sol#L304 https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/collateral/OverlayV1OVLCollateral.sol#L396 https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/market/OverlayV1OI.sol#L108
VS Code
Consider resolving the TODOs before deploying.
#0 - mikeyrf
2021-12-07T00:07:24Z
duplicate #116
🌟 Selected for report: ye0lde
0.0161 ETH - $74.28
ye0lde
Removing unused named return variables can reduce gas usage and improve code clarity.
Unused named returns https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/market/OverlayV1PricePoint.sol#L142-L144
Visual Studio Code, Remix
Remove the named return variables
#0 - mikeyrf
2021-12-07T21:24:11Z
sponsor acknowledged reason - minimal gas savings of 45 gas
🌟 Selected for report: ye0lde
0.0161 ETH - $74.28
ye0lde
Removing unneeded variables and code can reduce gas usage and improve code clarity.
The local variable _impact is defined and set but then copied to the named return variable impact_.
They are both then used but are the same value at that point.
https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/market/OverlayV1Market.sol#L58-L66
Visual Studio Code, Remix
Change line 58 - impact_ = intake(_isLong, _oi, _cap);
Delete line 62 - impact_ = _impact;
Change line 66 - collateralAdjusted_ = _collateral - impact_ - fee_;
#0 - mikeyrf
2021-12-07T21:24:57Z
sponsor acknowledged reason - minimal gas savings
🌟 Selected for report: WatchPug
Also found by: defsec, harleythedog, ye0lde
ye0lde
Redundant arithmetic underflow/overflow checks can be avoided when an underflow/overflow cannot happen.
The "unchecked" keyword can be applied here since there is a "require" statement before to ensure the arithmetic operations would not cause an integer underflow or overflow. https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/market/OverlayV1Market.sol#L66
Change the code at 66 to:
unchecked { collateralAdjusted_ = _collateral - _impact - fee_; }
Visual Studio Code, Remix
Add the "unchecked" keyword as shown above.
I just realized this finding overlaps this previous finding: Unneeded variable and code in enterOI (OverlayV1Market.sol)
This mitigation is best applied after the mitigation for "Unneeded variable and code in enterOI"
unchecked { collateralAdjusted_ = _collateral - impact_ - fee_; }
Sorry wasn't trying to pad the findings, just found them at different times.
#0 - mikeyrf
2021-12-07T00:18:38Z
duplicate #56
ye0lde
Shortening revert strings to fit in 32 bytes will decrease deployment time gas and will decrease runtime gas when the revert condition has been met. Revert strings that are longer than 32 bytes require at least one additional mstore, along with additional overhead for computing memory offset, etc.
https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/ovl/OverlayToken.sol#L131 https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/ovl/OverlayToken.sol#L277 https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/ovl/OverlayToken.sol#L310 https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/ovl/OverlayToken.sol#L322-L328 https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/ovl/OverlayToken.sol#L386 https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/ovl/OverlayToken.sol#L403-L404
Visual Studio Code
Consider shortening the revert strings to fit in 32 bytes or using custom errors (v0.8.4) in the future.
#0 - mikeyrf
2021-12-07T21:57:01Z
duplicate - #65
🌟 Selected for report: ye0lde
ye0lde
Code clarity
"@param" should be "@return" https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/market/OverlayV1Market.sol#L83-L85
Not sure what this comment is for maybe just needs to be deleted. https://github.com/code-423n4/2021-11-overlay/blob/1833b792caf3eb8756b1ba5f50f9c2ce085e54d0/contracts/mothership/OverlayV1Mothership.sol#L155
Visual Studio Code, Remix
Correct the comments if the suggestions are valid.