search

code-423n4 / 2022-01-xdefi-findings

0 stars 0 forks source link

Change `pointsCorrection` to `uint256` can save gas #148

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

As both _pointsPerUnit and units are uint numbers, pointsCorrection can be changed to uint.

https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L271-L278

    Position({
        units: units,
        depositedXDEFI: uint88(amount_),
        expiry: uint32(block.timestamp + duration_),
        created: uint32(block.timestamp),
        bonusMultiplier: bonusMultiplier,
        pointsCorrection: -_toInt256Safe(_pointsPerUnit * units)
    });

https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L337-L345

    function _withdrawableGiven(uint96 units_, uint88 depositedXDEFI_, int256 pointsCorrection_) internal view returns (uint256 withdrawableXDEFI_) {
        return
            (
                _toUint256Safe(
                    _toInt256Safe(_pointsPerUnit * uint256(units_)) +
                    pointsCorrection_
                ) / _pointsMultiplier
            ) + uint256(depositedXDEFI_);
    }

Change to:

    Position({
        units: units,
        depositedXDEFI: uint88(amount_),
        expiry: uint32(block.timestamp + duration_),
        created: uint32(block.timestamp),
        bonusMultiplier: bonusMultiplier,
        pointsCorrection: _pointsPerUnit * units
    });

https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L337-L345

    function _withdrawableGiven(uint96 units_, uint88 depositedXDEFI_, int256 pointsCorrection_) internal view returns (uint256 withdrawableXDEFI_) {
        return
            (
                _toUint256Safe(
                    _toInt256Safe(_pointsPerUnit * uint256(units_)) -
                    pointsCorrection_
                ) / _pointsMultiplier
            ) + uint256(depositedXDEFI_);
    }

This change can save gas by avoiding unnecessary arithmetic and typecasting.

deluca-mike commented 2 years ago

Yes, these are valid points. There is a bit of analysis I have to do to ensure that I can reduce the signed math to unsigned math, but it should be possible.

deluca-mike commented 2 years ago

Duplicate #87