Auction and Basket implementation state variable addresses set in Factory’s constructor are never modified later. Making such state variables immutable will save their storage slots and avoid expensive SLOADs/SSTOREs for accessing them. Compiler replaces their usages in contract bytecode at construction time.
Handle
0xRajeev
Vulnerability details
Impact
Auction and Basket implementation state variable addresses set in Factory’s constructor are never modified later. Making such state variables immutable will save their storage slots and avoid expensive SLOADs/SSTOREs for accessing them. Compiler replaces their usages in contract bytecode at construction time.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Factory.sol#L26-L27
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Factory.sol#L19-L20
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add immutable specifier for auctionImpl and basketImpl.