From Solidity’s documentation (https://docs.soliditylang.org/en/v0.8.4/contracts.html#constant-and-immutable-state-variables), “State variables can be declared as constant or immutable. In both cases, the variables cannot be modified after the contract has been constructed. For constant variables, the value has to be fixed at compile-time, while for immutable, it can still be assigned at construction time. The compiler does not reserve a storage slot for these variables, and every occurrence is replaced by the respective value. Compared to regular state variables, the gas costs of constant and immutable variables are much lower.”
The address variables VADER, VAULT and ROUTER can be made immutable if they are initialized at construction time within a constructor. This will avoid the use of five storage slots and lead to gas savings.
dmvt
commented
3 years ago
Handle
0xRajeev
Vulnerability details
Impact
From Solidity’s documentation (https://docs.soliditylang.org/en/v0.8.4/contracts.html#constant-and-immutable-state-variables), “State variables can be declared as constant or immutable. In both cases, the variables cannot be modified after the contract has been constructed. For constant variables, the value has to be fixed at compile-time, while for immutable, it can still be assigned at construction time. The compiler does not reserve a storage slot for these variables, and every occurrence is replaced by the respective value. Compared to regular state variables, the gas costs of constant and immutable variables are much lower.”
The address variables VADER, VAULT and ROUTER can be made immutable if they are initialized at construction time within a constructor. This will avoid the use of five storage slots and lead to gas savings.
Proof of Concept
https://github.com/code-423n4/2021-04-vader/blob/3041f20c920821b89d01f652867d5207d18c8703/vader-protocol/contracts/USDV.sol#L24-L26
https://github.com/code-423n4/2021-04-vader/blob/3041f20c920821b89d01f652867d5207d18c8703/vader-protocol/contracts/USDV.sol#L54-L61
Tools Used
Manual Analysis
Recommended Mitigation Steps
Move initialization from init() to a constructor and make address variables VADER, VAULT and ROUTER immutable.