-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QA Report #4
Comments
Missing non reentrancy modifier is not a valid issue. No need for reentrancy guard on setters. Init frontrun is a non issue as we will be using OpenZeppelin's API which automatically batches deployment Treasury may be address(0) is not an issue Missing fee parameter validation is not valid, we check if the fee is below FEE_LIMIT. not verified input is not a valid claim because these functions use safeApprove of OpenZeppelin is a valid claim. Deprecated usage of never used parameters is a valid claim, but more documentation wise, we should document that initialAmount is not currently used, but made available for future hook contracts. Must approve 0 first is a valid claim for USDT compatibility (not verified yet). approve return value is ignored is essentially duplicate of safeApprove of OpenZeppelin div by 0 is not a medium risk, it reverts and is not a threat, or at least the report doesn't demonstrate how could this be exploited. Not an issue. Anyone can withdraw others doesn't make sense. Not an issue. Overall, I think it is fair to keep this as a low-severity submission due to safeApprove of OpenZeppelin and Must approve 0 first. never used parameters is a valid documentation issue. |
Title: Missing non reentrancy modifier
Severity: Low Risk
The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer.
Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..
Title: Init frontrun
Severity: Low Risk
Most contracts use an init pattern (instead of a constructor) to initialize contract parameters. Unless these are enforced to be atomic with contact deployment via deployment script or factory contracts, they are susceptible to front-running race conditions where an attacker/griefer can front-run (cannot access control because admin roles are not initialized) to initially with their own (malicious) parameters upon detecting (if an event is emitted) which the contract deployer has to redeploy wasting gas and risking other transactions from interacting with the attacker-initialized contract.
Many init functions do not have an explicit event emission which makes monitoring such scenarios harder. All of them have re-init checks; while many are explicit some (those in auction contracts) have implicit reinit checks in initAccessControls() which is better if converted to an explicit check in the main init function itself.
(details credit to: code-423n4/2021-09-sushimiso-findings#64)
The vulnerable initialization functions in the codebase are:
Title: Treasury may be address(0)
Severity: Low Risk
Title: Missing fee parameter validation
Severity: Low Risk
Some fee parameters of functions are not checked for invalid values. Validate the parameters:
Title: Not verified input
Severity: Low Risk
Title: safeApprove of openZeppelin is deprecated
Severity: Low Risk
Deprecated safeApprove in SingleStrategyController.sol line 59: _baseToken.approve(address(_newStrategy), type(uint256).max);
Deprecated safeApprove in Collateral.sol line 75: _baseToken.approve(address(_strategyController), _amountToDeposit);
Deprecated safeApprove in SingleStrategyController.sol line 61: _baseToken.approve(address(_oldStrategy), 0);
Title: Never used parameters
Severity: Low Risk
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Title: Div by 0
Severity: Medium Risk
Division by 0 can lead to accidentally revert,
(An example of a similar issue - code-423n4/2021-10-defiprotocol-findings#84)
Title: Must approve 0 first
Severity: Low/Med Risk
Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value.
They must first be approved by zero and then the actual allowance must be approved.
approve without approving 0 first Collateral.sol, 75, _baseToken.approve(address(_strategyController), _amountToDeposit);
approve without approving 0 first SingleStrategyController.sol, 59, _baseToken.approve(address(_newStrategy), type(uint256).max);
Title: approve return value is ignored
Severity: Med Risk
Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean.
Calling these functions with the correct EIP20 function signatures will always revert.
Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value.
We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens.
The list of occurrences in format (solidity file, line number, actual line)
Collateral.sol, 75, _baseToken.approve(address(_strategyController), _amountToDeposit);
SingleStrategyController.sol, 59, _baseToken.approve(address(_newStrategy), type(uint256).max);
SingleStrategyController.sol, 61, _baseToken.approve(address(_oldStrategy), 0);
Title: Anyone can withdraw others
Severity: Low Risk
Anyone can withdraw users shares. Although we think that they are sent to the right address, it is still
1) not the desired behavior
2) can be dangerous if the receiver is a smart contract
3) the receiver may not know someone withdraw him
The text was updated successfully, but these errors were encountered: