Back to z3s's contests

veToken Finance contest - z3s's results

Lock more veAsset permanently.

General Information

Platform: Code4rena

Start Date: 26/05/2022

Pot Size: $75,000 USDT

Total HM: 31

Participants: 71

Period: 7 days

Judge: GalloDaSballo

Total Solo HM: 18

Id: 126

League: ETH

veToken Finance

Findings Distribution

Researcher Performance

Rank: 52/71

Findings: 2

Award: $151.96

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryveToken Finance

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xf15ers, BouSalman, Chom, Deivitto, Dravee, ElKu, FSchmoede, Funen, GimelSec, Hawkeye, MiloTruck, Picodes, SecureZeroX, SmartSek, TerrierLover, WatchPug, _Adam, asutorufos, berndartmueller, c3phas, catchup, cccz, cogitoergosumsw, cryptphi, csanuragjain, delfin454000, dipp, ellahi, gzeon, hansfriese, horsefacts, hyh, kirk-baird, minhquanym, oyc_109, pauliax, reassor, robee, sashik_eth, shenwilly, simon135, sorrynotsorry, sseefried, unforgiven, xiaoming90, z3s

Awards

99.8852 USDT - $99.89

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Non Critical

[N01] For critical changes it's better to use two-step procedure:

Booster.sol
  123,5:     function setOwner(address _owner) external {
  129,5:     function setFeeManager(address _feeM) external {

VeAssetDepositor.sol
  53,5:     function setFeeManager(address _feeManager) external {

VoterProxy.sol
  62,5:     function setOwner(address _owner) external {

Lack of two-step procedure for critical operations leaves them error-prone. Consider adding two step procedure on the critical functions.

#0 - GalloDaSballo

2022-07-07T00:38:23Z

NC

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, Cityscape, Dravee, ElKu, FSchmoede, Funen, GalloDaSballo, Hawkeye, Kaiziron, MiloTruck, Randyyy, RoiEvenHaim, Ruhum, SecureZeroX, SmartSek, TerrierLover, TomJ, Tomio, WatchPug, Waze, _Adam, asutorufos, c3phas, catchup, cogitoergosumsw, delfin454000, ellahi, fatherOfBlocks, gzeon, hansfriese, horsefacts, jonatascm, minhquanym, oyc_109, pauliax, reassor, robee, sach1r0, saian, sashik_eth, simon135, z3s

Awards

52.0655 USDT - $52.07

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Gas Optimizations

[G01] uint256 default value is 0 so we can remove = 0:

BaseRewardPool.sol
  66,33:     uint256 public periodFinish = 0;
  67,31:     uint256 public rewardRate = 0;
  70,34:     uint256 public queuedRewards = 0;
  71,35:     uint256 public currentRewards = 0;
  72,38:     uint256 public historicalRewards = 0;
  176,24:         for (uint256 i = 0; i < extraRewards.length; i++) {
  199,24:         for (uint256 i = 0; i < extraRewards.length; i++) {
  218,24:         for (uint256 i = 0; i < extraRewards.length; i++) {
  245,24:         for (uint256 i = 0; i < extraRewards.length; i++) {
  282,28:             for (uint256 i = 0; i < extraRewards.length; i++) {

Booster.sol
  329,24:         for (uint256 i = 0; i < poolInfo.length; i++) {

ExtraRewardStashV1.sol
  29,38:     uint256 public historicalRewards = 0;

ExtraRewardStashV2.sol
  71,28:             for (uint256 i = 0; i < length; i++) {
  78,28:             for (uint256 i = 0; i < length; i++) {
  137,24:         for (uint256 i = 0; i < maxRewards; i++) {
  181,24:         for (uint256 i = 0; i < tokenCount; i++) {
  213,24:         for (uint256 i = 0; i < tokenCount; i++) {

ExtraRewardStashV3.sol
  84,24:         for (uint256 i = 0; i < maxRewards; i++) {
  126,24:         for (uint256 i = 0; i < tokenCount; i++) {

RewardFactory.sol
  49,24:         for (uint256 i = 0; i < length; i++) {
  66,24:         for (uint256 i = 0; i < length; i++) {

VE3DLocker.sol
  286,24:         for (uint256 i = 0; i < userRewards.length; i++) {
  315,51:         for (uint256 i = locks.length - 1; i + 1 != 0; i--) {
  360,51:         for (uint256 i = locks.length - 1; i + 1 != 0; i--) {
  387,49:         for (uint256 i = epochindex - 1; i + 1 != 0; i--) {
  406,41:         for (uint256 i = _epoch; i + 1 != 0; i--) {
  420,21:         uint256 min = 0;
  425,24:         for (uint256 i = 0; i < 128; i++) {
  613,24:         uint256 reward = 0;
  803,28:             for (uint256 i = 0; i < rewardTokens.length; i++) {

VE3DRewardPool.sol
  148,24:         for (uint256 i = 0; i < rewardTokens.length(); i++) {
  214,24:         for (uint256 i = 0; i < length; i++) {
  238,24:         for (uint256 i = 0; i < length; i++) {
  257,24:         for (uint256 i = 0; i < length; i++) {
  281,24:         for (uint256 i = 0; i < rewardTokens.length(); i++) {
  326,28:             for (uint256 i = 0; i < length; i++) {

VeAssetDepositor.sol
  28,37:     uint256 public incentiveVeAsset = 0;

VirtualBalanceRewardPool.sol
  74,33:     uint256 public periodFinish = 0;
  75,31:     uint256 public rewardRate = 0;
  78,34:     uint256 public queuedRewards = 0;
  79,35:     uint256 public currentRewards = 0;
  80,38:     uint256 public historicalRewards = 0;

VoterProxy.sol
  217,28:             for (uint256 i = 0; i < _tokenVote.length; i++) {
  227,26:         uint256 _balance = 0;

[G02] ++i use less gas than i++:

++i costs less gas compared to i++. about 5 gas per iteration.

BaseRewardPool.sol
  176,54:         for (uint256 i = 0; i < extraRewards.length; i++) {
  199,54:         for (uint256 i = 0; i < extraRewards.length; i++) {
  218,54:         for (uint256 i = 0; i < extraRewards.length; i++) {
  245,54:         for (uint256 i = 0; i < extraRewards.length; i++) {
  282,58:             for (uint256 i = 0; i < extraRewards.length; i++) {

Booster.sol
  329,50:         for (uint256 i = 0; i < poolInfo.length; i++) {

ExtraRewardStashV2.sol
  71,45:             for (uint256 i = 0; i < length; i++) {
  78,45:             for (uint256 i = 0; i < length; i++) {
  137,45:         for (uint256 i = 0; i < maxRewards; i++) {
  181,45:         for (uint256 i = 0; i < tokenCount; i++) {
  213,45:         for (uint256 i = 0; i < tokenCount; i++) {

ExtraRewardStashV3.sol
  84,45:         for (uint256 i = 0; i < maxRewards; i++) {
  126,45:         for (uint256 i = 0; i < tokenCount; i++) {

RewardFactory.sol
  49,41:         for (uint256 i = 0; i < length; i++) {
  66,41:         for (uint256 i = 0; i < length; i++) {

VE3DLocker.sol
  207,50:         for (uint256 i; i < rewardTokens.length; i++) {
  286,53:         for (uint256 i = 0; i < userRewards.length; i++) {
  425,38:         for (uint256 i = 0; i < 128; i++) {
  457,61:         for (uint256 i = nextUnlockIndex; i < locks.length; i++) {
  640,59:             for (uint256 i = nextUnlockIndex; i < length; i++) {
  720,50:         for (uint256 i; i < rewardTokens.length; i++) {
  803,58:             for (uint256 i = 0; i < rewardTokens.length; i++) {

VE3DRewardPool.sol
  148,56:         for (uint256 i = 0; i < rewardTokens.length(); i++) {
  214,41:         for (uint256 i = 0; i < length; i++) {
  238,41:         for (uint256 i = 0; i < length; i++) {
  257,41:         for (uint256 i = 0; i < length; i++) {
  281,56:         for (uint256 i = 0; i < rewardTokens.length(); i++) {
  326,45:             for (uint256 i = 0; i < length; i++) {

VoterProxy.sol
  217,56:             for (uint256 i = 0; i < _tokenVote.length; i++) {

[G03] Use Custom Errors to save Gas:

Custom errors from Solidity 0.8.4 are cheaper than require messages. https://blog.soliditylang.org/2021/04/21/custom-errors/

[G04] SafeMath is not needed when using Solidity version 0.8:

Solidity version 0.8.* already implements overflow and underflow checks by default. Using the SafeMath library from OpenZeppelin (which is more gas expensive than the 0.8.* overflow checks) is therefore redundant.

Use arithmetics instead of SafeMath lib.

#0 - GalloDaSballo

2022-07-18T23:58:12Z

Less than 500 gas saved

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter