#41765 [SC-Insight] Storage slots only set in constructor should be declared `immutable`

Submitted on Mar 18th 2025 at 07:54:52 UTC by @Victor_TheOracle for Audit Comp | Yeet

  • Report ID: #41765

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Yeetback.sol

  • Impacts:

Description

Brief/Intro

The issue involves two state variables in the yeetback.sol contract that are set only during construction but are not declared as immutable. In non-upgradeable contracts, failing to mark such variables as immutable results in unnecessary gas costs since these variables occupy storage slots, potentially increasing the cost of contract interactions on mainnet.

Vulnerability Details

In Solidity, variables that are assigned a value only once in the constructor and never modified should be declared as immutable. This allows the Solidity compiler to optimize these variables by embedding their values directly into the bytecode rather than storing them in a storage slot.

In yeetback.sol, the variables entropy and entropyProvider are initialized in the constructor but are not declared as immutable:

/// @dev The entropy contract address
//@audit (info) -----> Should be immutable
IEntropy private entropy;
/// @dev The address of the entropy provider
//@audit (info) -----> Should be immutable
address private entropyProvider;
constructor(address _entropy, address _entropyProvider) Ownable(msg.sender) {
    require(_entropy != address(0), "Yeetback: Invalid entropy address");
    require(_entropyProvider != address(0), "Yeetback: Invalid entropy provider address");
    entropy = IEntropy(_entropy);
    entropyProvider = _entropyProvider;
}

Impact Details

The main impact of this vulnerability is increased gas consumption during contract execution. By storing these values in storage rather than embedding them in the contract's code, each access to these variables requires an SLOAD operation, which is more gas-intensive.

References

Relevant Code snippet: https://github.com/immunefi-team/audit-comp-yeet/blob/da15231cdefd8f385fcdb85c27258b5f0d0cc270/src/Yeetback.sol#L33-L35

Proof of Concept

Proof of Concept

Was this helpful?