Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

State Mutability Incorrectly Specified

sauronsol

Summary

Functions in the contract are not properly marked with the correct state mutability modifiers (view, pure), leading to higher gas costs and potential state modifications in what should be read-only functions.

Vulnerability Details

In NonOptimizedContract, a function that should be read-only modifies state:

function getValue() public returns (uint256) {
flag = !flag; // Modifies state when it shouldn't
return value;
}
contract StateMutabilityTest is Test {
NonOptimizedContract public nonOptimized;
OptimizedContract public optimized;
function setUp() public {
nonOptimized = new NonOptimizedContract();
optimized = new OptimizedContract();
}
function testGasComparison() public {
// Test non-optimized version (no view)
uint256 gasBefore = gasleft();
nonOptimized.getValue();
uint256 gasAfter = gasleft();
uint256 gasUsedNonOptimized = gasBefore - gasAfter;
// Test optimized version (with view)
gasBefore = gasleft();
optimized.getValue();
gasAfter = gasleft();
uint256 gasUsedOptimized = gasBefore - gasAfter;
emit log_named_uint("Gas used non-optimized", gasUsedNonOptimized);
emit log_named_uint("Gas used optimized", gasUsedOptimized);
assertTrue(gasUsedOptimized < gasUsedNonOptimized, "View should use less gas");
}
function testStateModification() public {
// Initial state
bool initialFlag = nonOptimized.getFlag();
// Call what should be a read-only function
nonOptimized.getValue();
// Check if state was modified
bool newFlag = nonOptimized.getFlag();
assertTrue(initialFlag != newFlag, "State should be modified showing incorrect mutability");
}
}

Test results show:

Gas used non-optimized: 29449
Gas used optimized: 7250

Soit une différence de ~22,000 gas !

Impact

Low severity because:

  1. Significant gas cost (~4x more gas)

  2. Possible unintentional state modifications

  3. Risk of unexpected behaviors for integrators who assume the function is read-only

  4. Tests demonstrate that state can be modified when it shouldn't be

Tools Used

  • Slither static analyzer

  • Gas comparative testing

  • State modification tests

  • Manual code review

Recommendations

  1. Use appropriate modifiers:

function getValue() public view returns (uint256) {
return value;
}

  1. Check all functions and add view or pure when possible

  2. Implement specific tests to verify that no view function modifies state

  3. Consider using static analysis tools to automatically detect these issues

This vulnerability demonstrates the importance of proper state mutability declarations and their impact on both gas costs and contract behavior predictability.

Updates

Appeal created

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.