Merge pull request #138 from meTokens/fix/audit-fixes

Fix/audit fixes

contracts/curves/BancorCurve.sol

@@ -337,9 +337,8 @@ contract BancorCurve is ICurve {
             return (balancePooled * meTokensBurned) / supply;
         }
         // 1 / (reserveWeight/MAX_WEIGHT)
-        bytes16 exponent = _one.div(
-            uint256(reserveWeight).fromUInt().div(_maxWeight)
-        );
+        bytes16 exponent = _maxWeight.div(uint256(reserveWeight).fromUInt());
+
         // 1 - (meTokensBurned / supply)
         bytes16 s = _one.sub(meTokensBurned.fromUInt().div(supply.fromUInt()));
         // Instead of calculating "s ^ exp", we calculate "e ^ (log(s) * exp)".

contracts/facets/MeTokenRegistryFacet.sol

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0
 pragma solidity 0.8.9;
 
+import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import {ReentrancyGuard} from "@openzeppelin/contracts/security/ReentrancyGuard.sol";
 import {ICurve} from "../interfaces/ICurve.sol";
@@ -25,6 +26,8 @@ contract MeTokenRegistryFacet is
     Modifiers,
     ReentrancyGuard
 {
+    using SafeERC20 for IERC20;
+
     constructor() {}
 
     /// @inheritdoc IMeTokenRegistryFacet
@@ -39,15 +42,11 @@ contract MeTokenRegistryFacet is
         HubInfo memory hubInfo = s.hubs[hubId];
         require(hubInfo.active, "Hub inactive");
         require(!hubInfo.updating, "Hub updating");
-
         if (assetsDeposited > 0) {
-            require(
-                IERC20(hubInfo.asset).transferFrom(
-                    sender,
-                    hubInfo.vault,
-                    assetsDeposited
-                ),
-                "transfer failed"
+            IERC20(hubInfo.asset).safeTransferFrom(
+                sender,
+                hubInfo.vault,
+                assetsDeposited
             );
         }
         // Create meToken erc20 contract

contracts/migrations/SameAssetTransferMigration.sol

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0
 pragma solidity 0.8.9;
 
+import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import {ReentrancyGuard} from "@openzeppelin/contracts/security/ReentrancyGuard.sol";
 import {IHubFacet} from "../interfaces/IHubFacet.sol";
@@ -17,6 +18,8 @@ import {Vault} from "../vaults/Vault.sol";
 /// @notice create a vault to hold an asset if a meToken is resubscribing
 ///         to a different hub with the same asset
 contract SameAssetTransferMigration is ReentrancyGuard, Vault, IMigration {
+    using SafeERC20 for IERC20;
+
     struct SameAssetMigration {
         // if migration is active
         bool isMigrating;
@@ -90,7 +93,10 @@ contract SameAssetTransferMigration is ReentrancyGuard, Vault, IMigration {
         amountOut = meTokenInfo.balancePooled + meTokenInfo.balanceLocked;
 
         // Send asset to new vault only if there's a migration vault
-        IERC20(targetHubInfo.asset).transfer(targetHubInfo.vault, amountOut);
+        IERC20(targetHubInfo.asset).safeTransfer(
+            targetHubInfo.vault,
+            amountOut
+        );
 
         // reset mappings
         delete _sameAssetMigration[meToken];

contracts/migrations/UniswapSingleTransferMigration.sol

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0
 pragma solidity 0.8.9;
 
+import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import {ReentrancyGuard} from "@openzeppelin/contracts/security/ReentrancyGuard.sol";
 import {IHubFacet} from "../interfaces/IHubFacet.sol";
@@ -19,6 +20,8 @@ import {Vault} from "../vaults/Vault.sol";
 /// @dev This contract moves the pooled/locked balances from
 ///      one erc20 to another
 contract UniswapSingleTransferMigration is ReentrancyGuard, Vault, IMigration {
+    using SafeERC20 for IERC20;
+
     struct UniswapSingleTransfer {
         // The earliest time that the swap can occur
         uint256 soonest;
@@ -121,7 +124,10 @@ contract UniswapSingleTransferMigration is ReentrancyGuard, Vault, IMigration {
         }
 
         // Send asset to new vault only if there's a migration vault
-        IERC20(targetHubInfo.asset).transfer(targetHubInfo.vault, amountOut);
+        IERC20(targetHubInfo.asset).safeTransfer(
+            targetHubInfo.vault,
+            amountOut
+        );
 
         // reset mappings
         delete _uniswapSingleTransfers[meToken];
@@ -189,7 +195,7 @@ contract UniswapSingleTransferMigration is ReentrancyGuard, Vault, IMigration {
         }
 
         // Approve router to spend
-        IERC20(hubInfo.asset).approve(address(_router), amountIn);
+        IERC20(hubInfo.asset).safeApprove(address(_router), amountIn);
 
         // https://docs.uniswap.org/protocol/guides/swaps/single-swaps
         ISwapRouter.ExactInputSingleParams memory params = ISwapRouter

contracts/vaults/Vault.sol

@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-3.0
 pragma solidity 0.8.9;
+
 import {IERC20Permit} from "@openzeppelin/contracts/token/ERC20/extensions/draft-IERC20Permit.sol";
 import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
@@ -97,7 +98,7 @@ contract Vault is IVault, ReentrancyGuard {
             require(amount <= accruedFees[asset], "amount > accrued fees");
         }
         accruedFees[asset] -= amount;
-        IERC20(asset).transfer(dao, amount);
+        IERC20(asset).safeTransfer(dao, amount);
         emit Claim(dao, asset, amount);
     }