Gas Optimization
Summary
It includes a list of vulnerabilities found in the contracts, along with their impact, the lines of code affected, and recommended actions to address them.
Vulnerability Details
Cache Array Length Outside of Loop
Impact: Medium
Findings: Multiple instances of array length caching outside of loops were found in the Distribution.sol contract. This could potentially save gas but may not significantly affect the functionality of the system.
Lines of code affected:
Distribution.sol::62
Distribution.sol::79
Distribution.sol::129
Distribution.sol::133
Distribution.sol::303
Use != 0 instead of > 0 for Unsigned Integer Comparison
Impact: Medium
Findings: Several comparisons using '>' instead of '!=' were found in the Distribution.sol contract. This could potentially save gas but may not significantly affect the functionality of the system.
Lines of code affected:
Distribution.sol::117
Distribution.sol::163
Distribution.sol::195
Distribution.sol::235
Distribution.sol::257
Distribution.sol::325
WStETHMock.sol::23
Use immutable for OpenZeppelin AccessControl's Roles Declarations
Impact: Low
Findings: The roles declarations in the L2MessageReceiver.sol contract were not declared as immutable. This could potentially save gas but may not significantly affect the functionality of the system.
Lines of code affected:
L2MessageReceiver.sol::60
L2MessageReceiver.sol::84
Long Revert Strings
Impact: Low
Findings: Multiple instances of long revert strings were found in various contracts. This could potentially cause unnecessary delays but may not significantly affect the functionality of the system.
Lines of code affected: Various lines across multiple contracts.
Use Shift Right/Left instead of Division/Multiplication if possible
Impact: Medium
Findings: A multiplication operation involving division was found in the LinearDistributionIntervalDecrease.sol contract. Using shift operations could potentially save gas but may not significantly affect the functionality of the system.
Line of code affected: LinearDistributionIntervalDecrease.sol::158
Unsafe ERC20 Operation(s)
Impact: High
Findings: Several ERC20 operations were found in the L1Sender.sol and mock contracts that could potentially allow unsafe behavior. These operations could potentially allow attacks or unexpected behaviors, significantly affecting the security of the system.
Lines of code affected:
L1Sender.sol::69
L1Sender.sol::76
L1Sender.sol::91
L1Sender.sol::95
GatewayRouterMock.sol::15
SwapRouterMock.sol::9
SwapRouterMock.sol::10
WStETHMock.sol::25
Unspecific Compiler Version Pragma
Impact: Low
Findings: The compiler version was not specified in the pragma statement in multiple contracts. This could potentially cause compatibility issues but may not significantly affect the functionality of the system.
Lines of code affected: Various lines across multiple contracts.
Do not use Deprecated Library Functions
Impact: Low
Findings: The deprecated TransferHelper.safeApprove function was used in the L2TokenReceiver.sol contract. This could potentially cause unexpected behavior but may not significantly affect the functionality of the system.
Lines of code affected:
L2TokenReceiver.sol::
Impact
The identified vulnerabilities can have varying impacts on the system. The "Cache Array Length Outside of Loop" and "Use != 0 instead of > 0 for Unsigned Integer Comparison" vulnerabilities could lead to unnecessary gas consumption, potentially slowing down transactions. The "Long Revert Strings" vulnerability could cause unnecessary delays due to large error messages. The "Unsafe ERC20 Operation(s)" vulnerability could allow for potential attacks or unexpected behavior. The "Unspecific Compiler Version Pragma" vulnerability could lead to compatibility issues. Lastly, the "Do not use Deprecated Library Functions" vulnerability could pose potential security risks [1][2][3].
Tools Used
c4udit
Recommendations
Impact
The identified vulnerabilities can have varying impacts on the system. The "Cache Array Length Outside of Loop" and "Use != 0 instead of > 0 for Unsigned Integer Comparison" vulnerabilities could lead to unnecessary gas consumption, potentially slowing down transactions. The "Long Revert Strings" vulnerability could cause unnecessary delays due to large error messages. The "Unsafe ERC20 Operation(s)" vulnerability could allow for potential attacks or unexpected behavior. The "Unspecific Compiler Version Pragma" vulnerability could lead to compatibility issues. Lastly, the "Do not use Deprecated Library Functions" vulnerability could pose potential security risks [1][2][3].
Tools Used
The vulnerabilities were identified using the c4udit tool, a static analysis tool specifically designed for Solidity contracts. This tool scans the contract code to identify common issues and vulnerabilities [1][2][3].
Recommendations
Move the calculation of array lengths inside loops to reduce gas consumption.
Replace
> 0with!= 0in unsigned integer comparisons.Use immutable statements for OpenZeppelin AccessControl's role declarations.
Shorten revert strings to avoid unnecessary delays.
Replace divisions/multiplications with shift right/left operations where possible.
Avoid unsafe ERC20 operations.
Specify the compiler version to avoid compatibility issues.
Refrain from using deprecated library functions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.