Stable2 Well Function and Upgradeable Well Remediations.

[nickkatsios]

This PR addresses all the high and medium severity findings for the Stable2 and Well upgradeable changes from the latest CodeArena audit.

Findings repo:

All findings Report

Sponsored Confirmed Issues:

Confirmed issues

Remediations:

High and Medium Severity

---

Issue

• Unrestricted Contract Upgrade Mechanism in WellUpgradeable Allows for Arbitrary Implementation Changes and Potential Fund Drainage code-423n4/2024-07-basin-findings#60
• Anyone can upgrade Well's implementation code-423n4/2024-07-basin-findings#18

Fix

• Addressed in: Add access control to authorizeUpgrade [#60] [#18] #138
• Added an onlyOwner modifier in the upgradeTo and upgradeToAndCall functions in WellUpgradeable.

---

Issue

• notDelegatedOrIsMinimalProxy reverts incorrectly code-423n4/2024-07-basin-findings#26

Fix

• Addressed in: notDelegatedOrIsMinimalProxy modifier fix [#26] #142
• Remove the else statement in notDelegatedOrIsMinimalProxy modifier to allow delegate calls since we are always dealing with proxies here.

---

Issue

• For extreme ratios getRatiosFromPriceSwap will return data for which is impossible to converge into a reserve code-423n4/2024-07-basin-findings#25
• Stable2LUT1::getRatiosFromPriceLiquidity - In extreme cases, updateReserve will start breaking code-423n4/2024-07-basin-findings#22

Fix

• Addressed in: CalcReserve extreme values fix [#25] [#22] #137
• Readjust the max step size in Stable2 when scaledReserve[j] is updated. This ensures that maxStep size can never be larger than the j reserve.
• In the case where newton's method overestimates, set high/low price to the new price, which guarantees convergence.

---

Issue

• WellUpgradeable#_authorizeUpgrade should check tokens in the new implementation code-423n4/2024-07-basin-findings#23

Fix

• Addressed in: Add check for new well tokens in authorizeUpgrade [#23] #140
• When upgrading the well to a new implementation, a check is added to ensure the new well tokens are the same and in the same order.

---

Issue

• Even though calcLpTokenSupply() does not converge, it does not revert. code-423n4/2024-07-basin-findings#19

Fix

• Addressed in: Add explicit reverts in functions that use Newton's method after non-convergence [#19] #139
• Added explicit reverts in all functions that use a newtons method calculation in the case of non convergence.

---

Issue

• Incorrectly assigned decimal1 parameter upon decoding code-423n4/2024-07-basin-findings#17

Fix

• Addressed in: Stable2 decimal1 fix [#17] #141
• Replaced decimal0 with decimal1 in decodeWellData.

Low and QA fixes

---

Issue

• L-03 Change the visibility of the function proxiableUUID from external to public
  : https://github.com/code-423n4/2024-07-basin-findings/blob/main/data/willycode20-Q.md#l-03-change-the-visibility-of-the-function-proxiableuuid-from-external-to-public

Fix

• Addressed in: Misc QA Fixes. #144

---

Issue

• [I-1] Incorrect documentation in calcReserveAtRatioSwap function
  : https://github.com/code-423n4/2024-07-basin-findings/blob/main/data/zanderbyte-Q.md#i-1-incorrect-documentation-in-calcreserveatratioswap-function

Fix

• Addressed in: Misc QA Fixes. #144

---

Issue

• Unreachable code blocks in calcReserveAtRatioSwap function and calcReserveAtRatioLiquidity : https://github.com/code-423n4/2024-07-basin-findings/blob/main/data/zanderbyte-Q.md#i-2-unreachable-code-block-in-calcreserveatratioswap-function

Fix

• Addressed in: Misc QA Fixes. #144

---

Issue

• Redundant sumReserves == 0 check in calcLpTokenSupply
  : https://github.com/code-423n4/2024-07-basin-findings/blob/main/data/ZanyBonzy-Q.md#2-redundant-sumreserves--0-check-in-calclptokensupply

Fix

• Addressed in: Misc QA Fixes. #144

The remediations were sent to codeArena for re-audit, and remaining issues were fixed in #145.