QA Report #30
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
bug
sofianeOuafir
added
the
sponsor confirmed
|
high quality report |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue 1 (Low) - All function inputs should verify address != address(0)
https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/core-contracts/contracts/CoreCollection.sol#L193
https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/splits/contracts/SplitFactory.sol#L60-L61
https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/royalty-vault/contracts/RoyaltyVault.sol#L76
There are several input addresses that should be verified != address(0). Most notably, the royaltyVault and platformFeeRecipient.
Issue 2 (Low) - platformFeeRecipient must be trusted
https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/royalty-vault/contracts/RoyaltyVault.sol#L51-L57
In the event that
royaltyAssetgives control on transfer such as with an ERC777, a maliciousplatformFeeRecipientwill have the power to stop all executions ofsendToSplitter()Issue 3 (Low) - Function definition doesn't match purpose
https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/splits/contracts/Splitter.sol#L231-L240
The
transferSplitAsset()function contains comments about sending ETH, and the event that is emitted is calledTransferETHdespite only ERC20 transfers.Issue 4 (Non-critical) - Private attemptETHTransfer() never used
https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/splits/contracts/Splitter.sol#L248
Since
attemptETHTransfer()is private and not used in the contract, it can safely be removed.Issue 5 (non-critical) - Internal functions should start with underscore
Example:
https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/core-contracts/contracts/MultiSigWallet.sol#L284
Code style best practice.
Issue 6 (non-critical) - Unnecessary bool in TransferETH event
https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/splits/contracts/Splitter.sol#L237-L239
The function reverts if transfer fails, so bool in event will always be true.
The text was updated successfully, but these errors were encountered: