Foundry DeFi Stablecoin CodeHawks Audit Contest
Cyfrin
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: gas
Valid

LQAG

0xackermann

LQAG Report

Contents:

Low Risk Issues

No. Issue
1 Always use safeTransferFrom instead of transferFrom
2 Owner can renounce Ownership

[L-01] Always use safeTransferFrom instead of transferFrom

Lines of Code:

[L-02] Owner can renounce Ownership

Description:

Typically, the contract’s owner is the account that deploys the contract. As a result, the owner is able to perform certain privileged activities.

The non-fungible Ownable used in this project contract implements renounceOwnership. This can represent a certain risk if the ownership is renounced for any other reason than by design. Renouncing ownership will leave the contract without an owner, thereby removing any functionality that is only available to the owner.

Lines of Code:

[L-03] onlyOwner functions

onlyOwner functions:

Non Critical Issues

No. Issue
1 Tokens accidentally sent to the contract cannot be recovered
2 Use a more recent version of Solidity

[NC-01] Tokens accidentally sent to the contract cannot be recovered

Description:

It can't be recovered if the tokens accidentally arrive at the contract address, which has happened to many popular projects, so I recommend adding a recovery code to your critical contracts.

Recommendation:

Add this code:

/**
* @notice Sends ERC20 tokens trapped in contract to external address
* @dev Onlyowner is allowed to make this function call
* @param account is the receiving address
* @param externalToken is the token being sent
* @param amount is the quantity being sent
* @return boolean value indicating whether the operation succeeded.
*
*/
function rescueERC20(address account, address externalToken, uint256 amount) public onlyOwner returns (bool) {
IERC20(externalToken).transfer(account, amount);
return true;
}
}

Lines of Code:

[NC-02] Use a more recent version of Solidity

Description:

For security, it is best practice to use the latest Solidity version. For the security fix list in the versions: https://github.com/ethereum/solidity/blob/develop/Changelog.md

Recommendation:

Old version of Solidity is used , newer version can be used (0.8.21)

Lines of Code:

Gas Optimizations Report

No. Issue
1 ++i/i++ should be unchecked{++i}/unchecked{i++} when it is not possible for them to overflow, as is the case when used in for-loop and while-loops
2 Optimize names to save gas [22 gas per instance]
3 Setting the constructor to payable [~13 gas per instance]
4 Comparison operators
5 <array>.length should not be looked up in every loop of a for-loop
6 x += y costs more gas than x = x + y for state variables

[G-01] ++i/i++ should be unchecked{++i}/unchecked{i++} when it is not possible for them to overflow, as is the case when used in for-loop and while-loops

Description:

In Solidity 0.8+, there’s a default overflow check on unsigned integers. It’s possible to uncheck this in for-loops and save some gas at each iteration, but at the cost of some code readability, as this uncheck cannot be made inline.

Recommendation:

Using Solidity's unchecked block saves the overflow checks.

Proof Of Concept:

https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md#g011---unnecessary-checked-arithmetic-in-for-loop

Lines of Code:

[G-02] Optimize names to save gas [22 gas per instance]

Description:

Contracts most called functions could simply save gas by function ordering via Method ID. Calling a function at runtime will be cheaper if the function is positioned earlier in the order (has a relatively lower Method ID) because 22 gas are added to the cost of a function for every position that came before it. The caller can save on gas if you prioritize most called functions.

Recommendation:

Find a lower method ID name for the most called functions for example Call() vs. Call1() is cheaper by 22 gas. For example, the function IDs in the L1GraphTokenGateway.sol contract will be the most used; A lower method ID may be given.

Proof Of Concept:

https://medium.com/joyso/solidity-how-does-function-name-affect-gas-consumption-in-smart-contract-47d270d8ac92

Lines of Code:

[G-03] Setting the constructor to payable [~13 gas per instance]

Lines of Code:

[G-04] Comparison operators

Description:

In the EVM, there is no opcode for >= or <=. When using greater than or equal, two operations are performed: > and =. Using strict comparison operators hence saves gas.

Recommendation:

Replace <= with <, and >= with >. Do not forget to increment/decrement the compared variable.

Lines of Code:

[G-05] <array>.length should not be looked up in every loop of a for-loop

Description:

The overheads outlined below are PER LOOP, excluding the first loop

  • storage arrays incur a Gwarmaccess (100 gas)

  • memory arrays use MLOAD (3 gas)

  • calldata arrays use CALLDATALOAD (3 gas)

Caching the length changes each of these to a DUP<N> (3 gas), and gets rid of the extra DUP needed to store the stack offset

Lines of Code:

[G-06] x += y costs more gas than x = x + y for state variables

Lines of Code:

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.