GalloDaSballo
commented
2 years ago I think the formatting on this submission went wrong, and would recommend the warden to always try their MD submission on a preview tool before submitting
I don't think the sponsor likes 0 checks
3/10
C4 finding submitted: (Gas) Missing non-zero amount checks
Lines of code
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L318 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L171 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L210 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L306
Vulnerability details
Impact
Functions do not check if the amount is non-zero. A zero amount would result in unnecessary transaction and gas usage.
Proof of Concept
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L318 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L171 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L210 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L306
Tools Used
Manual analysis
Recommended Mitigation Steps
Check if the amount is non-zero
C4 finding submitted: (Gas) Changing the order in boost function can save gas
Lines of code
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L191
Vulnerability details
Impact
require(feiTurboCToken.borrow(feiAmount) == 0, "BORROW_FAILED"); can be called just after master.onSafeBoost(asset, vault, feiAmount); In case the borrow fails and reverts, the intermediate steps would be avoided.
Proof of Concept
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L191
Tools Used
Manual analysis
Recommended Mitigation Steps
Change the order as: // Ensure the Vault accepts Fei asset. require(vault.asset() == fei, "NOT_FEI");