Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #38

Open
code423n4 opened this issue Apr 21, 2022 · 1 comment
Open

QA Report #38

code423n4 opened this issue Apr 21, 2022 · 1 comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Title: Solidity compiler versions mismatch
Severity: Low Risk

The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.

Title: Named return issue
Severity: Low Risk

Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing.
Furthermore, removing either the actual return or the named return will save gas.

    vToken.sol, mint
    AUMCalculationLibrary.sol, rpow
    FullMath.sol, mulDiv
    vToken.sol, burn

Title: Assert instead require to validate user inputs
Severity: Low Risk

    From solidity docs: Properly functioning code should never reach a failing assert statement; if this happens there is a bug in your contract which you should fix.
    With assert the user pays the gas and with require it doesn't. The ETH network gas isn't cheap and users can see it as a scam.
    
    IndexLogic.sol : reachable assert in line 71

Title: Add a timelock
Severity: Low Risk

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

    https://github.com/code-423n4/2022-04-phuture/tree/main/contracts/PhuturePriceOracle.sol#L55

Title: Init frontrun
Severity: Low Risk

Most contracts use an init pattern (instead of a constructor) to initialize contract parameters. Unless these are enforced to be atomic with contact deployment via deployment script or factory contracts, they are susceptible to front-running race conditions where an attacker/griefer can front-run (cannot access control because admin roles are not initialized) to initially with their own (malicious) parameters upon detecting (if an event is emitted) which the contract deployer has to redeploy wasting gas and risking other transactions from interacting with the attacker-initialized contract.

Many init functions do not have an explicit event emission which makes monitoring such scenarios harder. All of them have re-init checks; while many are explicit some (those in auction contracts) have implicit reinit checks in initAccessControls() which is better if converted to an explicit check in the main init function itself.
(details credit to: code-423n4/2021-09-sushimiso-findings#64)
The vulnerable initialization functions in the codebase are:

    vToken.sol, constructor, 51
    vToken.sol, initialize, 55

Title: Not verified input
Severity: Low Risk

external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.

    
    PhuturePriceOracle.sol.setOracleOf _asset
    IndexLogic.sol.burn _recipient
    vToken.sol.transferFrom _to
    vToken.sol.transfer _recipient
    vToken.sol.transferFrom _from

Title: Check transfer receiver is not 0 to avoid burned money
Severity: Low Risk

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

    https://github.com/code-423n4/2022-04-phuture/tree/main/contracts/vToken.sol#L210
    https://github.com/code-423n4/2022-04-phuture/tree/main/contracts/IndexLogic.sol#L115
    https://github.com/code-423n4/2022-04-phuture/tree/main/contracts/vToken.sol#L187
    https://github.com/code-423n4/2022-04-phuture/tree/main/contracts/vToken.sol#L77
    https://github.com/code-423n4/2022-04-phuture/tree/main/contracts/vToken.sol#L196

Title: Does not validate the input fee parameter
Severity: Low Risk

Some fee parameters of functions are not checked for invalid values. Validate the parameters:

    PhutureIndex._chargeAUMFee (_feePool)

Title: Require with empty message
Severity: Low Risk

The following requires are with empty messages.
This is very important to add a message for any require. Such that the user has enough
information to know the reason of failure:

    Solidity file: FullMath.sol, In line 44 with Empty Require message.

Title: Missing commenting
Severity: Low Risk

    The following functions are missing commenting as describe below:
    
    NAV.sol, transfer (internal), parameter self not commented
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Apr 21, 2022
code423n4 added a commit that referenced this issue Apr 21, 2022
@code423n4
robee issue #38
5343aa0
@moose-code
Copy link
Collaborator

Nice

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@moose-code @code423n4