Oblong Marigold Blackbird
High
The BoostCore
contract contains an issue where the use of the assert
statement instead of require
in production code can cause users to lose money due to unintended gas consumption. This can result in users paying for gas that should have been saved, particularly when a condition fails that should revert the transaction efficiently.
In the current implementation, the assert
statement is used in the following code snippet:
function _makeIncentives(BoostLib.Target[] memory targets_, ABudget budget_)
{
...
if (preflight.length != 0) {
// wake-disable-next-line reentrancy (false positive, entrypoint is nonReentrant)
@> assert(budget_.disburse(preflight));
}
...
}
The issue with using assert
is that, when the condition fails, it consumes all remaining gas, leading to excessive gas costs for users. This is particularly problematic in a production environment, as assert
is meant for testing, and its use in live contracts can inadvertently lead to financial losses for users.
By contrast, using a require
statement would revert the transaction with minimal gas consumption and provide a clear error message. This ensures the contract fails safely and efficiently in production environments without penalizing users with unnecessary gas fees.
Financial Loss: The use of assert
results in all remaining gas being consumed when the condition fails, causing users to pay more than necessary.
VSCode
Replace the assert
statement with a require
statement to avoid unintended gas consumption and ensure proper transaction handling in production environments:
require(budget_.disburse(preflight), "Disbursement failed");