Open code423n4 opened 2 years ago
WatchPug
https://github.com/code-423n4/2021-12-mellow/blob/6679e2dd118b33481ee81ad013ece4ea723327b5/mellow-vaults/contracts/AaveVault.sol#L96-L99
function _getAToken(address token) internal view returns (address) { DataTypes.ReserveData memory data = _lendingPool().getReserveData(token); return data.aTokenAddress; }
https://github.com/code-423n4/2021-12-mellow/blob/6679e2dd118b33481ee81ad013ece4ea723327b5/mellow-vaults/contracts/AaveVault.sol#L33-L43
constructor(IVaultGovernance vaultGovernance_, address[] memory vaultTokens_) Vault(vaultGovernance_, vaultTokens_) { _aTokens = new address[](vaultTokens_.length); for (uint256 i = 0; i < _vaultTokens.length; i++) { address aToken = _getAToken(_vaultTokens[i]); require(aToken != address(0), ExceptionsLibrary.ZERO_TOKEN); _aTokens[i] = aToken; _tvls.push(0); } }
_getAToken() is unnecessary as it's being used only once. Therefore it can be inlined in constructor() to make the code simpler and save gas.
_getAToken()
constructor()
Change to:
constructor(IVaultGovernance vaultGovernance_, address[] memory vaultTokens_) Vault(vaultGovernance_, vaultTokens_) { _aTokens = new address[](vaultTokens_.length); for (uint256 i = 0; i < _vaultTokens.length; i++) { address aToken = _lendingPool().getReserveData(_vaultTokens[i]).aTokenAddress; require(aToken != address(0), ExceptionsLibrary.ZERO_TOKEN); _aTokens[i] = aToken; _tvls.push(0); } }
Handle
WatchPug
Vulnerability details
https://github.com/code-423n4/2021-12-mellow/blob/6679e2dd118b33481ee81ad013ece4ea723327b5/mellow-vaults/contracts/AaveVault.sol#L96-L99
https://github.com/code-423n4/2021-12-mellow/blob/6679e2dd118b33481ee81ad013ece4ea723327b5/mellow-vaults/contracts/AaveVault.sol#L33-L43
_getAToken()is unnecessary as it's being used only once. Therefore it can be inlined inconstructor()to make the code simpler and save gas.Recommendation
Change to: