QA Report #123
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
valid
Comments
code423n4
added
bug
|
I really dislike this format |
GalloDaSballo
added
the
sponsor disputed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
QA Report
Table of Contents
summary
Comment Missing function parameter
PROBLEM
Some of the function comments are missing natspec function parameters or returns
SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
address _vault
address delegate
bool newWithdrawalSafetyCheck
bool newProcessLocksOnReinvest
address token
address[] calldata tokens
uint256 _amount
uint256 _amount
IRewardDistributor hiddenHandDistributor, IRewardDistributor.Claim[] calldata _claims
bytes calldata performData
address token, uint256 amount
address token, uint256 amount
uint256 amount
TOOLS USED
Manual Analysis
MITIGATION
Add a comment for these parameters
Constants instead of magic numbers
PROBLEM
It is best practice to use constant variables rather than literal values to make the code easier to understand and maintain.
SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
9_980
TOOLS USED
Manual Analysis
MITIGATION
Define a constant variable for it.
Events indexing
PROBLEM
Events should use indexed fields
SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
event RewardsCollected(address token, uint256 amount)
TOOLS USED
Manual Analysis
MITIGATION
Add indexed fields to this event.
Event should be emitted in setters
PROBLEM
Setters should emit an event so that Dapps can detect important changes to storage
SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
function manualSetDelegate
function setWithdrawalSafetyCheck
function setProcessLocksOnReinvest
function setBribesProcessor
TOOLS USED
Manual Analysis
MITIGATION
Emit an event in all setters.
Function missing comments
PROBLEM
Some functions are missing comments.
SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
function checkUpkeep
TOOLS USED
Manual Analysis
MITIGATION
Add comments to this function
Public functions can be external
PROBLEM
It is good practice to mark functions as
externalinstead ofpublicif they are not called by the contract where they are defined.SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
function initialize()
function getProtectedTokens()
function manualProcessExpiredLocks()
TOOLS USED
Manual Analysis
MITIGATION
Declare these functions as
externalinstead ofpublicTODOs left in the contract
IMPACT
Code architecture, incentives, and error handling/reporting questions/issues should be resolved before deployment
SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
TODO: Hardcode claim.account = address(this)?
TODO: Too many SLOADs
TOOLS USED
Manual Analysis
MITIGATION
Remove the TODOs/Resolve related issues.
Uint256 alias
IMPACT
uintis an alias foruint256.It is better to use uint256: it brings readability and consistency in the code, and it future proofs it in case of any changes to the alias of uint
SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
uint i = 0
TOOLS USED
Manual Analysis
MITIGATION
replace
uintwithuint256Unused function parameter
IMPACT
Unused function parameters should be removed
SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
bytes calldata performData
TOOLS USED
Manual Analysis
MITIGATION
remove this function parameter
Assert should not be used
IMPACT
Properly functioning code should never reach a failing assert statement. If it happened, it would indicate the presence of a bug in the contract. A failing assert uses all the remaining gas. In this case it is the
initializefunction and would not impact users, but it would still be wasting the team's funds if something were to go wrong.SEVERITY
Low
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
assert(IVault(_vault).token() == address(AURA))
TOOLS USED
Manual Analysis
MITIGATION
Replace the assert statement with a require statement or a custom error
safeApprove() is deprecated
PROBLEM
This function is deprecated.
SEVERITY
Low
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
AURA.safeApprove(address(LOCKER), type(uint256).max)
AURABAL.safeApprove(address(BALANCER_VAULT), type(uint256).max)
WETH.safeApprove(address(BALANCER_VAULT), type(uint256).max)
TOOLS USED
Manual Analysis
MITIGATION
safeIncreaseAllowance()andsafeDecreaseAllowance()should be used instead.Setters should check the input value
PROBLEM
Setters should check the input value - ie make revert if it is the zero address.
SEVERITY
Low
PROOF OF CONCEPT
Instances include:
MyStrategy.sol
function manualSetDelegate(address delegate)
function setBribesProcessor(IBribesProcessor newBribesProcessor)
TOOLS USED
Manual Analysis
MITIGATION
Add non-zero address checks to
delegateandnewBribesProcessor.The text was updated successfully, but these errors were encountered: