Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA Report #7

Open
code423n4 opened this issue Mar 17, 2022 · 1 comment
Open

QA Report #7

code423n4 opened this issue Mar 17, 2022 · 1 comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

  1. There are a lack of input checks around the contracts:
  1. Methods and code without comments. Comments are missing which makes review difficult and reduces the quality of the code.
  2. Logic prone to reentrancy errors. When the amount exceed the total allowed to withdraw, instead of fault the transaction it set the amount to 0.
  1. The use of clearAllowedAccounts should force to change the _root, otherwise the users can use allowSelf to be allowed again.
  1. Some methods doesn't check the result of the approve, transfer and transferFrom calls. ERC20 standard specify that the token can return false if the transfer was not made, so it's mandatory to check the result of this calls.
  1. In PrePOMarketFactory Is not checked that _deployedMarkets[_salt] already exists, so a possible collision could occur and change the stored market entry.
  1. Use delete instead of set to default value (false or 0)
@code423n4 code423n4 added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax bug Something isn't working labels Mar 17, 2022
code423n4 added a commit that referenced this issue Mar 17, 2022
@ramenforbreakfast
Copy link
Collaborator

ramenforbreakfast commented Mar 22, 2022

1 and 2 are too vague for me to consider as valid submissions.
3 needs to demonstrate how such a situation would occur.
4 is not an issue, this is why we have setRootAndClearAllowedAccounts to perform this atomically.
5 is a duplicate of #4.
6 is a duplicate of #2.
7 is a minor change and does not explain the benefits of doing this.

@ramenforbreakfast ramenforbreakfast added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Mar 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Development

No branches or pull requests

2 participants