Gas Optimizations

[code423n4]

Optimize NFT delegate deployments by using proxy

Targets

• https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateDeployer.sol#L115

  Impact

  The cost of NFT delegate deployments can be significantly reduced by deploying proxies instead of clones of the implementation.

  Proof of Concept

  This function is used to deploy new NFT delegates (JBTiered721DelegateDeployer.sol#L115):

  function _clone(address _targetAddress) internal returns (address _out) {
  assembly {
  // Get deployed/runtime code size
  let _codeSize := extcodesize(_targetAddress)
  
  // Get a bit of freemem to land the bytecode, not updated as we'll leave this scope right after create(..)
  let _freeMem := mload(0x40)
  
  // Shift the length to the length placeholder, in the constructor
  let _mask := mul(_codeSize, 0x100000000000000000000000000000000000000000000000000000000)
  
  // Insert the length in the correct sport (after the PUSH3 / 0x62)
  let _initCode := or(_mask, 0x62000000600081600d8239f3fe00000000000000000000000000000000000000)
  
  // Store the deployment bytecode
  mstore(_freeMem, _initCode)
  
  // Copy the bytecode (our initialise part is 13 bytes long)
  extcodecopy(_targetAddress, add(_freeMem, 13), 0, _codeSize)
  
  // Deploy the copied bytecode
  _out := create(0, _freeMem, _codeSize)
  }

  It copies the code of an existing contract (JBTiered721Delegate, JB721TieredGovernance, or JB721GlobalGovernance) and deploys a new contract with the same code. This is a costly operation because each of the three contracts is a big contract with a lot of code. It'll be much cheaper to deploy non-upgradable proxies instead.

  Tools Used

  Manual review.

  Recommended Mitigation Steps

  Consider using the Clones library from OpenZeppelin–it deploys and absolutely minimal non-upgradable proxy contract. Such proxies, however, cannot be verified on Etherscan. Some more info.

[c4-judge]

Picodes marked the issue as grade-a

[Picodes]

Depending on the number of deployments this could be the biggest gas saving so far

[c4-judge]

Picodes marked the issue as selected for report

[drgorillamd]

@Picodes we didn't use proxies for 2 reasons (it would have obviously been easier;):

• this is shifting the gas burden -> each call cost an extra call() cost to the users (on a cold address, that's at least 2600)
• the saving of deploying a proxy is a one off, for the project owner, while the gas saved on every call is cumulative through time (and might end up being bigger)

+ even if using a non-upgradeable proxy, some users have concern with such (I know, ux/docs/education is out of scope;)

In summary, not convinced this would be the biggest gas saving, on an overall basis

[Picodes]

Indeed it totally depend on the usage!

Giving this option to users could easily save a lot of gas for project that expect only a few transactions. I also selected this report as it's the only one suggesting this.

The deployment of the clone contract would be only <50k gas and then per call <2k (700 for the DELEGATECALL , 2600 for the cold address and then the memory expansion) so it'd be worth it for projects with less than a few hundred transactions