QA Report

[code423n4]

Issue #1 (Low) - Setter function should check for Zero Address

When setting the community reserve address, should check for an input 0 address.

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/strategies/ConvexStrategyBase.sol#L182

Issue #2 (Low) - Use of deprecated safeApprove()

OpenZeppelin lists this function as deprecated. It is recommended to use safeIncreaseAllowance.

OpenZeppelin Documentation:
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/fcf35e5722847f5eadaaee052968a8a54d03622a/contracts/token/ERC20/utils/SafeERC20.sol#L39-L45

Link to code:
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/actions/topup/handlers/CompoundHandler.sol#L71

Issue #3 (Low) - Front-runnable initializers

Lack of access control on an initialize function can be front-run, leading to redeployment.

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/LpToken.sol#L28-L39

Issue #4 (Low) - No transfer ownership pattern

In a couple places, transfer of an important admin address occurs without validation that the receiving address is correct. It is recommended to set the desired new address as pending until the new address is able to confirm the change. If the admin/strategist addresses are transferred incorrectly, issues will follow.

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/strategies/ConvexStrategyBase.sol#L261

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/tokenomics/VestedEscrow.sol#L69-L72

Issue #5 (Low) - Some tokens need to approve 0 when changing from non-zero to non-zero allowance

USDT for example will not work with the current implementation. The initial approve will succeed, but subsequent approvals will fail without resetting the approval to 0 first.

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/actions/topup/TopUpAction.sol#L50

Issue #6 (Low) - Require message seems incorrect

The require checks the access of the sender to call the function, but the require message indicates that not enough BKD has been staked.

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/actions/topup/TopUpAction.sol#L546

Issue #7 (Low) Register() function will succeed with 0 value maxFee

If the user calls register() with a maxFee = 0 then the register action will fail while they send 0 ether. The action won't be able to be enacted upon, so it's simply creating waste within the protocol. This action will show up in other function calls needlessly.

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/actions/topup/TopUpAction.sol#L220-L222

Issue #8 (Low) - Fee on transfer tokens not supported

If a token with fee on transfer is used, these actions will fail.

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/vault/VaultReserve.sol#L59

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/StakerVault.sol#L340

Issue #9 (Non-critical) - Order of params in comments doesn't match implementation

depositAmount and protocol are switched.

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/actions/topup/TopUpAction.sol#L199-L200

Issue #10 (Non-critical) - Typo in word "Community"

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/strategies/ConvexStrategyBase.sol#L175

Issue #11 (Non-critical) - Typo in word "Note"

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/StakerVault.sol#L31