Redundant Code Logic
id: LS02I
title: Redundant Code Logic
baseSeverity: I
category: code-quality
language: solidity
blockchain: [ethereum]
impact: Unnecessary gas costs, confusion, or potential hidden logic flaws
status: draft
complexity: low
attack_vector: internal
mitigation_difficulty: easy
versions: [">=0.4.0", "<latest"]
cwe: CWE-561
swc: SWC-131
π Description
- Redundant code logic refers to repeated, unnecessary, or unreachable lines of code that do not contribute to functional behavior but still:
- Consume gas on execution,
- Increase bytecode size,
- Lead to maintenance complexity or confusion during audits.
- Though not always a security threat, redundancy can hide subtle bugs or contradict the intended business logic when logic branches disagree.
π¨ Vulnerable Code
contract RedundantExample {
uint256 public value;
function set(uint256 _value) public {
value = _value;
value = _value; // β Redundant assignment
if (_value > 0) {
return;
}
return; // β Unreachable duplicate return
}
}
π§ͺ Exploit Scenario
- This issue is not directly exploitable, but can lead to:
- Higher deployment and execution costs (e.g., duplicate instructions),
- Missed bugs if developers overlook one of two redundant lines thinking they serve different purposes,
- Audit fatigue when redundant checks distract from true logic flaws.
Assumptions:
- Developers or tooling failed to clean up unnecessary logic paths.
- Contract is executed frequently, amplifying gas inefficiency.
β Fixed Code
contract OptimizedExample {
uint256 public value;
function set(uint256 _value) public {
value = _value;
// β
Clean and clear
}
}
π§ Contextual Severity
- context: "Default"
severity: I
reasoning: "Increases gas usage and code complexity but not directly exploitable."
- context: "High-frequency function in public DeFi protocol"
severity: M
reasoning: "Gas inefficiency could affect user experience and aggregate costs."
- context: "Internal or low-traffic admin-only function"
severity: I
reasoning: "Impact is negligible due to limited usage and access."
π‘οΈ Prevention
Primary Defenses
- Use static analyzers to detect duplicate lines, unreachable code, or repeated logic blocks.
- Apply code reviews and linters to flag unnecessary expressions or returns.
- Optimize for bytecode size and gas to reduce L1 fees.
Additional Safeguards
- Write unit tests and gas snapshot tests to catch inefficient logic.
- Use DRY (Donβt Repeat Yourself) principles for internal business logic.
- Avoid mixing legacy code with new patterns unless refactored.
Detection Methods
- Slither: redundant-statement, unused-return, dead-code detectors.
- Hardhat Gas Reporter: Highlight functions with excess cost.
- Manual audit and gas profiling of core functions.
π°οΈ Historical Exploits
- Name: The DAO Exploit
- Date: 2016
- Loss: $60 million
- Post-mortem: Link to post-mortem
π Further Reading
- SWC-131: Presence of Unused Code
- Policies, Procedures, and Code Management β OWASP Smart Contract Security
- Code Optimization in Solidity: Best Practices for Performance β SoliditySuite
β Vulnerability Report
id: LS02I
title: Redundant Code Logic
severity: I
score:
impact: 2
exploitability: 0
reachability: 5
complexity: 1
detectability: 5
finalScore: 2.1
π Justifications & Analysis
- Impact: Increases bytecode size and gas usage, may mislead audits.
- Exploitability: Not directly exploitable.
- Reachability: Extremely common during development cycles or copy-paste reuse.
- Complexity: Low β easy to write and easy to fix.
- Detectability: High β flagged by most static analysis tools.