Oblong Marigold Blackbird
High
The BoostCore contract contains an issue where the use of the assert statement instead of require in production code can cause users to lose money due to unintended gas consumption. This can result in users paying for gas that should have been saved, particularly when a condition fails that should revert the transaction efficiently.
In the current implementation, the assert statement is used in the following code snippet:
function _makeIncentives(BoostLib.Target[] memory targets_, ABudget budget_)
{
...
if (preflight.length != 0) {
// wake-disable-next-line reentrancy (false positive, entrypoint is nonReentrant)
@> assert(budget_.disburse(preflight));
}
...
}The issue with using assert is that, when the condition fails, it consumes all remaining gas, leading to excessive gas costs for users. This is particularly problematic in a production environment, as assert is meant for testing, and its use in live contracts can inadvertently lead to financial losses for users.
By contrast, using a require statement would revert the transaction with minimal gas consumption and provide a clear error message. This ensures the contract fails safely and efficiently in production environments without penalizing users with unnecessary gas fees.
Financial Loss: The use of assert results in all remaining gas being consumed when the condition fails, causing users to pay more than necessary.
VSCode
Replace the assert statement with a require statement to avoid unintended gas consumption and ensure proper transaction handling in production environments:
require(budget_.disburse(preflight), "Disbursement failed");