search

code-423n4 / 2021-10-defiprotocol-findings

0 stars 0 forks source link

Redundant call to external contract, result can be saved #52

Closed code423n4 closed 2 years ago

code423n4 commented 3 years ago

Handle

kenzo

Vulnerability details

When using few times an unchanging value from external contract call, the result can be saved and used without recalling the external contract.

Impact

Some gas can be saved.

Proof of Concept

In settleAuction, the basket's totalSupply stays constant through the loop's iterations.

for (uint256 i = 0; i < pendingWeights.length; i++) {
          uint256 tokensNeeded = basketAsERC20.totalSupply() * pendingWeights[i] * newRatio / BASE / BASE;
          require(IERC20(pendingTokens[i]).balanceOf(address(basket)) >= tokensNeeded);
      }

https://github.com/code-423n4/2021-10-defiprotocol/blob/main/contracts/contracts/Auction.sol#L103

Tools Used

Manual analysis, hardhat

Recommended Mitigation Steps

Save basketAsERC20.totalSupply() to a local variable outside the loop, and use that variable inside the loop.

frank-beard commented 3 years ago

https://github.com/code-423n4/2021-10-defiprotocol-findings/issues/88

GalloDaSballo commented 2 years ago

Duplicate of #88