Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA Report #4

Open
code423n4 opened this issue Mar 17, 2022 · 1 comment
Open

QA Report #4

code423n4 opened this issue Mar 17, 2022 · 1 comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Title: Missing non reentrancy modifier
Severity: Low Risk

The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer.
Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..

    Collateral.sol, initialize is missing a reentrancy modifier
    Collateral.sol, setWithdrawHook is missing a reentrancy modifier
    PrePOMarket.sol, setFinalLongPrice is missing a reentrancy modifier

Title: Init frontrun
Severity: Low Risk

Most contracts use an init pattern (instead of a constructor) to initialize contract parameters. Unless these are enforced to be atomic with contact deployment via deployment script or factory contracts, they are susceptible to front-running race conditions where an attacker/griefer can front-run (cannot access control because admin roles are not initialized) to initially with their own (malicious) parameters upon detecting (if an event is emitted) which the contract deployer has to redeploy wasting gas and risking other transactions from interacting with the attacker-initialized contract.

Many init functions do not have an explicit event emission which makes monitoring such scenarios harder. All of them have re-init checks; while many are explicit some (those in auction contracts) have implicit reinit checks in initAccessControls() which is better if converted to an explicit check in the main init function itself.
(details credit to: code-423n4/2021-09-sushimiso-findings#64)
The vulnerable initialization functions in the codebase are:

    Collateral.sol, initialize, 38

Title: Treasury may be address(0)
Severity: Low Risk

Make sure the treasury is not address(0).
    
    
    PrePOMarket.sol.setTreasury _newTreasury
    Collateral.sol.initialize _newTreasury

Title: Missing fee parameter validation
Severity: Low Risk

Some fee parameters of functions are not checked for invalid values. Validate the parameters:

    Collateral.setRedemptionFee (_newRedemptionFee)
    PrePOMarket.constructor (_newRedemptionFee)
    PrePOMarket.setMintingFee (_newMintingFee)
    PrePOMarket.setRedemptionFee (_newRedemptionFee)
    PrePOMarket.constructor (_newMintingFee)
    Collateral.setMintingFee (_newMintingFee)

Title: Not verified input
Severity: Low Risk

external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.

    CollateralDepositRecord.sol.recordDeposit _sender
    Collateral.sol._processDelayedWithdrawal _account
    CollateralDepositRecord.sol.setAllowedHook _hook

Title: safeApprove of openZeppelin is deprecated
Severity: Low Risk

    You use safeApprove of openZeppelin although it's deprecated.
    (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38)
    You should change it to increase/decrease Allowance as OpenZeppilin says
    This appears in the following locations in the code base

Deprecated safeApprove in SingleStrategyController.sol line 59: _baseToken.approve(address(_newStrategy), type(uint256).max);

Deprecated safeApprove in Collateral.sol line 75: _baseToken.approve(address(_strategyController), _amountToDeposit);

Deprecated safeApprove in SingleStrategyController.sol line 61: _baseToken.approve(address(_oldStrategy), 0);

Title: Never used parameters
Severity: Low Risk

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

    DepositHook.sol: function hook parameter _initialAmount isn't used. (hook is external)
    WithdrawHook.sol: function hook parameter _initialAmount isn't used. (hook is external)

Title: Div by 0
Severity: Medium Risk

Division by 0 can lead to accidentally revert,
(An example of a similar issue - code-423n4/2021-10-defiprotocol-findings#84)

    Collateral.sol (L89) _valueBefore might be 0)

Title: Must approve 0 first
Severity: Low/Med Risk

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value.
They must first be approved by zero and then the actual allowance must be approved.

approve without approving 0 first Collateral.sol, 75, _baseToken.approve(address(_strategyController), _amountToDeposit);

approve without approving 0 first SingleStrategyController.sol, 59, _baseToken.approve(address(_newStrategy), type(uint256).max);

Title: approve return value is ignored
Severity: Med Risk

Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean.
Calling these functions with the correct EIP20 function signatures will always revert.
Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value.
We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens.
The list of occurrences in format (solidity file, line number, actual line)
Collateral.sol, 75, _baseToken.approve(address(_strategyController), _amountToDeposit);

SingleStrategyController.sol, 59, _baseToken.approve(address(_newStrategy), type(uint256).max);

SingleStrategyController.sol, 61, _baseToken.approve(address(_oldStrategy), 0);

Title: Anyone can withdraw others
Severity: Low Risk

Anyone can withdraw users shares. Although we think that they are sent to the right address, it is still
1) not the desired behavior
2) can be dangerous if the receiver is a smart contract
3) the receiver may not know someone withdraw him

    CollateralDepositRecord.recordWithdrawal
    Collateral.setDelayedWithdrawalExpiry
@code423n4 code423n4 added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax bug Something isn't working labels Mar 17, 2022
code423n4 added a commit that referenced this issue Mar 17, 2022
This was referenced Mar 19, 2022
@ramenforbreakfast
Copy link
Collaborator

ramenforbreakfast commented Mar 22, 2022

Missing non reentrancy modifier is not a valid issue. No need for reentrancy guard on setters.

Init frontrun is a non issue as we will be using OpenZeppelin's API which automatically batches deployment
and initialization.

Treasury may be address(0) is not an issue

Missing fee parameter validation is not valid, we check if the fee is below FEE_LIMIT.

not verified input is not a valid claim because these functions use msg.sender and msg.sender cannot be zero.

safeApprove of OpenZeppelin is a valid claim. Deprecated usage of safeApprove is a valid claim, but this submission is confusing because it mentions that we shouldn't use it, but we aren't even using safeApprove. I am recognizing this as valid since it brings to our attention that we need to do so in a revert-safe manner and use safeIncreaseAllowance and safeDecreaseAllowance.

never used parameters is a valid claim, but more documentation wise, we should document that initialAmount is not currently used, but made available for future hook contracts.

Must approve 0 first is a valid claim for USDT compatibility (not verified yet).

approve return value is ignored is essentially duplicate of safeApprove of OpenZeppelin

div by 0 is not a medium risk, it reverts and is not a threat, or at least the report doesn't demonstrate how could this be exploited. Not an issue.

Anyone can withdraw others doesn't make sense. Not an issue.

Overall, I think it is fair to keep this as a low-severity submission due to safeApprove of OpenZeppelin and Must approve 0 first. never used parameters is a valid documentation issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Development

No branches or pull requests

2 participants