Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #17

Open
code423n4 opened this issue May 12, 2022 · 0 comments
Open

QA Report #17

code423n4 opened this issue May 12, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Impact

[1] Using Safe Math is not necessary in 0.8.0+ solidity versions.
Consider using regular operations +-*/.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/Aura.sol#L52
  2. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/Aura.sol#L104
  3. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/Aura.sol#L111
  4. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/Aura.sol#L115
  5. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/Aura.sol#L117
  6. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L108
  7. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L109
  8. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L115
  9. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L123
  10. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L124
  11. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L142
  12. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L143
  13. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L159
  14. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L160
  15. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L212
  16. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraBalRewardPool.sol#L215
  17. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraClaimZap.sol#L197
  18. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraClaimZap.sol#L219
  19. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L162
  20. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L269
  21. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L272
  22. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L275
  23. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L276
  24. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L282
  25. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L293
  26. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L327
  27. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L335
  28. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L348
  29. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L383
  30. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L384
  31. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L401
  32. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L402
  33. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L403
  34. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L404
  35. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L415
  36. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L420
  37. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L421
  38. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L422
  39. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L423
  40. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L434
  41. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L435
  42. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L445
  43. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L483
  44. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L518
  45. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L599
  46. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L654
  47. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L657
  48. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L665
  49. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L670
  50. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L703
  51. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L705
  52. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L718
  53. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L721
  54. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L740
  55. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L795
  56. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L807
  57. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L809
  58. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L810
  59. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L811
  60. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L812
  61. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L828
  62. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L836
  63. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L839
  64. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L864
  65. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L866
  66. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L867
  67. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L868
  68. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraLocker.sol#L872
  69. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraStakingProxy.sol#L186
  70. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraStakingProxy.sol#L187
  71. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraStakingProxy.sol#L208
  72. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//contracts/AuraStakingProxy.sol#L209
  73. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L156
  74. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L158
  75. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L159
  76. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L160
  77. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L161
  78. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L168
  79. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L169
  80. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L170
  81. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L218
  82. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L219
  83. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L234
  84. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L235
  85. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L266
  86. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L267
  87. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L316
  88. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L327
  89. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L336
  90. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L339
  91. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L355
  92. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L357
  93. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L359
  94. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L360
  95. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L361
  96. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L362
  97. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/BaseRewardPool.sol#L366
  98. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/Booster.sol#L275
  99. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/Booster.sol#L595
  100. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/Booster.sol#L597
  101. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/Booster.sol#L599
  102. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/Booster.sol#L604
  103. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/Booster.sol#L605
  104. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/Booster.sol#L610
  105. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/Booster.sol#L655
  106. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L108
  107. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L131
  108. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L148
  109. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L167
  110. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L168
  111. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L169
  112. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L170
  113. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L171
  114. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L174
  115. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L198
  116. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L199
  117. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L200
  118. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L202
  119. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L203
  120. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L216
  121. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L217
  122. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L218
  123. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L226
  124. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L227
  125. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L244
  126. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L248
  127. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L249
  128. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L267
  129. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ConvexMasterChef.sol#L271
  130. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/CrvDepositor.sol#L131
  131. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/CrvDepositor.sol#L177
  132. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/CrvDepositor.sol#L184
  133. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/CrvDepositor.sol#L185
  134. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/CrvDepositor.sol#L188
  135. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L206
  136. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L142
  137. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L144
  138. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L145
  139. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L146
  140. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L147
  141. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L154
  142. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L155
  143. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L156
  144. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L209
  145. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L215
  146. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L224
  147. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L227
  148. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L240
  149. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L242
  150. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L244
  151. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L245
  152. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L246
  153. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L247
  154. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L251
  155. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VoterProxy.sol#L210
  156. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VoterProxy.sol#L211
  157. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289//convex-platform/contracts/contracts/VoterProxy.sol#L225

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[2] Consider following the Checks-Effects-Interactions pattern.
Emitting event should be at the end of the function.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/Aura.sol#L84
  2. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraBalRewardPool.sol#L163
  3. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraLocker.sol#L365
  4. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/BalLiquidityProvider.sol#L80
  5. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/BaseRewardPool.sol#L238
  6. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/ConvexMasterChef.sol#L287

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[3] Consider using IAuraLocker type here.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraBalRewardPool.sol#L66
  2. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraBalRewardPool.sol#L66

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[4] Consider using IOwner type here.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/BoosterOwner.sol#L206
  2. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/BoosterOwner.sol#L211

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[5] Magic number, consider using named constant instead.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L109
  2. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L115
  3. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L795
  4. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L811
  5. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L160
  6. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L169
  7. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ConvexMasterChef.sol#L171
  8. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ConvexMasterChef.sol#L174
  9. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ConvexMasterChef.sol#L203
  10. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ConvexMasterChef.sol#L217
  11. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ConvexMasterChef.sol#L227
  12. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ConvexMasterChef.sol#L249
  13. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ConvexMasterChef.sol#L271
  14. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/PoolManagerV3.sol#L57
  15. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/StashFactoryV2.sol#L58
  16. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L146
  17. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L155
  18. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraBalRewardPool.sol#L77

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[6] Using if (val) is easier to read rather than if (val == true).
Using if (!val) is easier to read rather than if (val == false).
Consider updating all occurrences.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraMerkleDrop.sol#L123
  2. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ArbitartorVault.sol#L54
  3. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L400
  4. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L574
  5. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/RewardFactory.sol#L72
  6. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L107
  7. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L168
  8. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L171
  9. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L190

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[7] By default, function types and state variables/constants are internal, so the internal keyword can be omitted.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L56
  2. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L39

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[8] Consider using "_" separate digit capacity i.e "100000" could be replaced to "100_000".
This increases code readability.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L81
  2. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L107
  3. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraStakingProxy.sol#L45
  4. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/CrvDepositorWrapper.sol#L61
  5. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/CrvDepositorWrapper.sol#L74
  6. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L30
  7. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L31
  8. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/CrvDepositor.sol#L26
  9. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/CrvDepositor.sol#L27
  10. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/CrvDepositor.sol#L30

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[9] Consider using IERC20 type instead of address.
Or IERC20[] type instead of address[].

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L63
  2. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L64
  3. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraClaimZap.sol#L130
  4. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraClaimZap.sol#L131
  5. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L48
  6. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L71
  7. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L150
  8. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L175
  9. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L195
  10. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L206
  11. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L231
  12. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L307
  13. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L774
  14. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L781
  15. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L785
  16. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L791
  17. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L802
  18. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L848
  19. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L860
  20. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraPenaltyForwarder.sol#L32
  21. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraStakingProxy.sol#L157
  22. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraVestedEscrow.sol#L50
  23. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/BalLiquidityProvider.sol#L28
  24. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/BalLiquidityProvider.sol#L29
  25. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/CrvDepositorWrapper.sol#L30
  26. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L47
  27. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L61
  28. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L88
  29. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L117
  30. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L129
  31. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L143
  32. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L170
  33. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L187
  34. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L200
  35. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L215
  36. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L252
  37. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L265
  38. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ArbitartorVault.sol#L46
  39. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L101
  40. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L102
  41. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool4626.sol#L33
  42. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool4626.sol#L34
  43. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool4626.sol#L37
  44. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L40
  45. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L57
  46. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L58
  47. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L217
  48. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L238
  49. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L255
  50. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L312
  51. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L321
  52. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L323
  53. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L383
  54. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L403
  55. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L417
  56. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L440
  57. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L455
  58. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L459
  59. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L494
  60. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L644
  61. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BoosterOwner.sol#L123
  62. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BoosterOwner.sol#L127
  63. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BoosterOwner.sol#L201
  64. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BoosterOwner.sol#L206
  65. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/DepositToken.sol#L32
  66. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L44
  67. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L50
  68. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L126
  69. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L139
  70. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L157
  71. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L168
  72. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L201
  73. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/PoolManagerProxy.sol#L66
  74. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol#L101
  75. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol#L110
  76. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol#L117
  77. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/PoolManagerV3.sol#L74
  78. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/PoolManagerV3.sol#L80
  79. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/RewardFactory.sol#L56
  80. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/RewardFactory.sol#L56
  81. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/RewardFactory.sol#L71
  82. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/RewardHook.sol#L25
  83. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/TokenFactory.sol#L41
  84. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L166
  85. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L206
  86. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L223
  87. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L333

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[10] Uint8-256 / Int8-256 is assigned to zero by default, additional reassignment to zero is unnecessary.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L35
  2. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L38
  3. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L39
  4. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L72
  5. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L381
  6. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L485
  7. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L540
  8. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L630
  9. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraMerkleDrop.sol#L29
  10. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraVestedEscrow.sol#L99
  11. https://github.com/code-423n4/2022-05-aura/blob/main/contracts/ExtraRewardsDistributor.sol#L231
  12. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L71
  13. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L72
  14. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L75
  15. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L76
  16. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L77
  17. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/Booster.sol#L29
  18. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/ConvexMasterChef.sol#L63
  19. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/CrvDepositor.sol#L36
  20. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L89
  21. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L90
  22. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L93
  23. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L94
  24. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L95
  25. https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L308

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[11] It is recommended to explicitly specify uint256 type instead of uint type for better readability.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/BaseRewardPool.sol#L214
  2. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/BaseRewardPool.sol#L230
  3. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/BaseRewardPool.sol#L262
  4. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/BaseRewardPool.sol#L296
  5. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/Booster.sol#L379
  6. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L199
  7. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol#L69

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[12] If '''cliff >= totalCliffs''' nothing will be minted.
Consider reverting or adding require in this case.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/Aura.sol#L107

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[13] MinterMinted can be initialized with zero in state variables.
Then you wouldn't need to change it in init function.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/Aura.sol#L33
  2. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/Aura.sol#L74

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[14] Complicated code.
Consider reducing if nesting here by having early return/continue.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraBalRewardPool.sol#L178-L188
  2. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/Booster.sol#L225-L249
  3. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/convex-platform/contracts/contracts/ConvexMasterChef.sol#L301-L305
  4. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraClaimZap.sol#L196-L228
  5. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraLocker.sol#L517-L561
  6. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraLocker.sol#L697-L706
  7. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraLocker.sol#L840-L845

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[15] Consider to not wrap basic arithmetic operations in a separate functions.
Just use a + b instead of a.add(b).

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraMath.sol#L15
  2. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraMath.sol#L19
  3. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraMath.sol#L23
  4. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraMath.sol#L27

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[16] Possible overflow here.
Consider checking array length != 0.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraLocker.sol#L332
  2. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraLocker.sol#L334
  3. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/ExtraRewardsDistributor.sol#L171
  4. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/ExtraRewardsDistributor.sol#L218
  5. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraLocker.sol#L292
  6. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraLocker.sol#L335
  7. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraLocker.sol#L640

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[17] Stake function could be simplified by calling stakeFor(msg.sender, _amount).

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraBalRewardPool.sol#L120-L130

Proof of Concept

Tools Used

Recommended Mitigation Steps

Impact

[18] Epochs[0] may not exist in array.
Consider adding require.

Affected code:

  1. https://github.com/code-423n4/2022-05-aura/blob/085f573756b132b2a5992c5aa5d7b907cd11c289/contracts/AuraLocker.sol#L740

Proof of Concept

Tools Used

Recommended Mitigation Steps
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 12, 2022
code423n4 added a commit that referenced this issue May 12, 2022
@code423n4
MaratCerby issue #17
f4776b0
@0xMaharishi 0xMaharishi added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label May 25, 2022
@dmvt dmvt mentioned this issue Jul 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @0xMaharishi