Constant values used inline

[code423n4]

Handle

gpersoon

Vulnerability details

Impact

In several locations constant values are used inline in the code.
Normally you would define those as constants to able to review and update them easier.
Additionally come constants can be changed to be easier to read

Proof of Concept

LongShort.sol: initialMarketSeedForEachMarketSide >= 1e18,
LongShort.sol: return (amountPaymentTokenBackingSynth * 1e18) / amountSyntheticToken;
LongShort.sol: return (amountSyntheticToken * syntheticTokenPriceInPaymentTokens) / 1e18;
LongShort.sol: return (amountPaymentTokenBackingSynth * 1e18) / syntheticTokenPriceInPaymentTokens;
LongShort.sol: uint256 marketPercent_e18 = _getMin(marketPercentCalculated_e18, 1e18);
LongShort.sol: treasuryYieldPercent_e18 = 1e18 - marketPercent_e18;
Staker.sol: require(newFloatPercentage <= 1e18 && newFloatPercentage > 0); // less than or equal to 100% and greater than 0%
Staker.sol: require(newMarketUnstakeFee_e18 <= 5e16); // Explicitely stating 5% fee as the max fee possible.
Staker.sol: require(initialMultiplier >= 1e18, "marketLaunchIncentiveMultiplier must be >= 1e18");
Staker.sol: _balanceIncentiveCurve_equilibriumOffset > -9e17 && _balanceIncentiveCurve_equilibriumOffset < 9e17,
Staker.sol: if (multiplier < 1e18) {
Staker.sol: multiplier = 1e18; // multiplier of 1 by default
Staker.sol: assert(kInitialMultiplier >= 1e18);
Staker.sol: return kInitialMultiplier - (((kInitialMultiplier - 1e18) * (block.timestamp - initialTimestamp)) / kPeriod);
Staker.sol: return 1e18;
Staker.sol: int256(totalLocked)) / 2e18;
Staker.sol: return (0, 1e18 * k * shortPrice);
Staker.sol: uint256 longRewardUnscaled = (numerator * 5e17) / denominator;
Staker.sol: uint256 shortRewardUnscaled = 1e18 - longRewardUnscaled;
Staker.sol: return ((longRewardUnscaled * k * longPrice) / 1e18, (shortRewardUnscaled * k * shortPrice) / 1e18);
Staker.sol: return (1e18 * k * longPrice, 0);
Staker.sol: uint256 shortRewardUnscaled = (numerator * 5e17) / denominator;
Staker.sol: uint256 longRewardUnscaled = 1e18 - shortRewardUnscaled;
Staker.sol: return ((longRewardUnscaled * k * longPrice) / 1e18, (shortRewardUnscaled * k * shortPrice) / 1e18);
Staker.sol: IFloatToken(floatToken).mint(floatCapital, (floatToMint * floatPercentage) / 1e18);
Staker.sol: uint256 amountFees = (amount * marketUnstakeFee_e18[marketIndex]) / 1e18;
YieldManagerAave.sol: uint256 amountForTreasury = (unrealizedYield * treasuryYieldPercent_e18) / 1e18;

Tools Used

grep

Recommended Mitigation Steps

Create constants for the following values:

• 1e18
• 5e16 ==> 0.05e18
• 9e17 ==> 0.90e18
• 2e18 ==> 2 x constant_1e18

[JasoonS]

Thank you, we had a constant previously called TEN_TO_THE_18 and found that using 1e18 was easier to read. Are there gas benefits to making constants for these?

[moose-code]

Don't think there would be a gas benefit by using a constant.

Can understand that it is often best practice to do this. As Jason mentioned we did, but chose the trade-off of better code readability as opposed to this clunky constant.