search

code-423n4 / 2021-11-streaming-findings

0 stars 0 forks source link

Gas: Batch transfer in `claimFees` #219

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

cmichel

Vulnerability details

The Stream.claimFees function performs two expensive external calls:

function claimFees(address destination) public lock externallyGoverned {
    // Stream is done
    require(block.timestamp >= endStream, "stream");

    // reset fee amount
    uint112 fees = rewardTokenFeeAmount;
    if (fees > 0) {
        rewardTokenFeeAmount = 0;

        // transfer and emit event
        // @audit gas batch these two fee transfers into single one by adding up amt
        ERC20(rewardToken).safeTransfer(destination, fees);
        emit FeesClaimed(rewardToken, destination, fees);
    }

    fees = depositTokenFlashloanFeeAmount;
    if (fees > 0) {
        depositTokenFlashloanFeeAmount = 0;

        // transfer and emit event
        ERC20(depositToken).safeTransfer(destination, fees);

        emit FeesClaimed(depositToken, destination, fees);
    }

}

Consider first adding up the fees and doing a single transfer with the sum. The FeesClaimed event can then also be only emitted once.

0xean commented 2 years ago

These are different tokens. Invalid.