Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #173

Open
code423n4 opened this issue May 23, 2022 · 2 comments
Open

QA Report #173

code423n4 opened this issue May 23, 2022 · 2 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

code423n4 commented May 23, 2022
edited by itsmetechjay
Loading

Summary

Low Risk Issues

Issue Instances
1 Wrong amounts sent if arrays don't match 1
2 Incorrect/misleading NatSpec 1
3 Function reverts if called a second time 1
4 pragma experimental ABIEncoderV2 is deprecated 1
5 safeApprove() is deprecated 36
6 Missing checks for address(0x0) when assigning values to address state variables 103

Total: 143 instances over 6 issues

Non-critical Issues

Issue Instances
1 Unused file 1
2 Call For/From variants instead of copying an pasting code 1
3 Remove tautological code 1
4 Adding a return statement when the function defines a named return variable, is redundant 3
5 override function arguments that are unused should have the variable name removed or commented out to avoid compiler warnings 1
6 public functions not called by the contract should be declared external instead 18
7 type(uint<n>).max should be used instead of uint<n>(-1) 8
8 constants should be defined rather than using magic numbers 47
9 Redundant cast 2
10 Numeric values having to do with time should use time units for readability 4
11 Missing event for critical parameter change 24
12 Use a more recent version of solidity 1
13 Use a more recent version of solidity 26
14 Use a more recent version of solidity 1
15 Constant redefined elsewhere 38
16 Inconsistent spacing in comments 80
17 Non-library/interface files should use fixed compiler versions, not floating ones 12
18 Typos 29
19 File is missing NatSpec 6
20 NatSpec is incomplete 21
21 Event is missing indexed fields 66

Total: 390 instances over 21 issues

Low Risk Issues

1. Wrong amounts sent if arrays don't match

The caller may make a copy-paste error where they provide all amounts, but miss one of the recipients in the middle of the list they're copying. This will cause all recipients after that mistake to get the wrong amounts, and the function will not revert

There is 1 instance of this issue:

File: contracts/AuraVestedEscrow.sol   #1

96:      function fund(address[] calldata _recipient, uint256[] calldata _amount) external nonReentrant {

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L96

2. Incorrect/misleading NatSpec

The function retrieves the number of votes at the end of an epoch, not at the end of a block. Furthermore, blockNumber is not an actual variable name

There is 1 instance of this issue:

File: contracts/AuraLocker.sol   #1

595:      * @dev Retrieve the number of votes for `account` at the end of `blockNumber`.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L595

3. Function reverts if called a second time

safeApprove() reverts if called a second time without fist calling safeApprove(0)

There is 1 instance of this issue:

File: contracts/CrvDepositorWrapper.sol   #1

/// @audit `setApprovals()` is an external function that calls this function. If it's called more than once, the secondary calls will revert
51       function _setApprovals() internal {
52           IERC20(WETH).safeApprove(address(BALANCER_VAULT), type(uint256).max);
53           IERC20(BAL).safeApprove(address(BALANCER_VAULT), type(uint256).max);
54:      }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/CrvDepositorWrapper.sol#L51-L54

4. pragma experimental ABIEncoderV2 is deprecated

Use pragma abicoder v2 instead

There is 1 instance of this issue:

File: contracts/AuraLocker.sol   #1

3:   pragma experimental ABIEncoderV2;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L3

5. safeApprove() is deprecated

Deprecated in favor of safeIncreaseAllowance() and safeDecreaseAllowance(). If only setting the initial allowance to the value that means infinite, safeIncreaseAllowance() can be used instead

There are 36 instances of this issue:

File: contracts/AuraClaimZap.sol

98:           IERC20(crv).safeApprove(crvDepositWrapper, 0);

99:           IERC20(crv).safeApprove(crvDepositWrapper, type(uint256).max);

101:          IERC20(cvxCrv).safeApprove(cvxCrvRewards, 0);

102:          IERC20(cvxCrv).safeApprove(cvxCrvRewards, type(uint256).max);

104:          IERC20(cvx).safeApprove(locker, 0);

105:          IERC20(cvx).safeApprove(locker, type(uint256).max);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraClaimZap.sol#L98

File: contracts/AuraMerkleDrop.sol

131:              aura.safeApprove(address(auraLocker), 0);

132:              aura.safeApprove(address(auraLocker), _amount);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L131

File: contracts/AuraPenaltyForwarder.sol

41:           token.safeApprove(address(distributor), type(uint256).max);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraPenaltyForwarder.sol#L41

File: contracts/AuraBalRewardPool.sol

75:           rewardToken.safeApprove(_auraLocker, type(uint256).max);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L75

File: contracts/AuraLocker.sol

240:          IERC20(cvxCrv).safeApprove(cvxcrvStaking, 0);

241:          IERC20(cvxCrv).safeApprove(cvxcrvStaking, type(uint256).max);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L240

File: contracts/CrvDepositorWrapper.sol

52:           IERC20(WETH).safeApprove(address(BALANCER_VAULT), type(uint256).max);

53:           IERC20(BAL).safeApprove(address(BALANCER_VAULT), type(uint256).max);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/CrvDepositorWrapper.sol#L52

File: contracts/AuraStakingProxy.sol

147:          IERC20(crv).safeApprove(crvDepositorWrapper, 0);

148:          IERC20(crv).safeApprove(crvDepositorWrapper, type(uint256).max);

150:          IERC20(cvxCrv).safeApprove(rewards, 0);

151:          IERC20(cvxCrv).safeApprove(rewards, type(uint256).max);

215:              _token.safeApprove(rewards, 0);

216:              _token.safeApprove(rewards, type(uint256).max);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L147

File: contracts/AuraVestedEscrow.sol

186:              rewardToken.safeApprove(address(auraLocker), claimable);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L186

File: contracts/BalLiquidityProvider.sol

59:               tkn.safeApprove(address(bVault), 0);

60:               tkn.safeApprove(address(bVault), bal);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/BalLiquidityProvider.sol#L59

File: convex-platform/contracts/contracts/CrvDepositor.sol

199:              IERC20(minter).safeApprove(_stakeAddress,0);

200:              IERC20(minter).safeApprove(_stakeAddress,_amount);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L199

File: convex-platform/contracts/contracts/VoterProxy.sol

176:              IERC20(_token).safeApprove(_gauge, 0);

177:              IERC20(_token).safeApprove(_gauge, balance);

193:          _asset.safeApprove(rewardDeposit, 0);

194:          _asset.safeApprove(rewardDeposit, balance);

244:          IERC20(crvBpt).safeApprove(escrow, 0);

245:          IERC20(crvBpt).safeApprove(escrow, _value);

255:          IERC20(crvBpt).safeApprove(escrow, 0);

256:          IERC20(crvBpt).safeApprove(escrow, _value);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L176

File: convex-platform/contracts/contracts/BaseRewardPool4626.sol

40:           IERC20(asset).safeApprove(operator_, type(uint256).max);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool4626.sol#L40

File: convex-platform/contracts/contracts/Booster.sol

422:              IERC20(token).safeApprove(rewardContract,0);

423:              IERC20(token).safeApprove(rewardContract,_amount);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L422

6. Missing checks for address(0x0) when assigning values to address state variables

There are 103 instances of this issue:

File: contracts/AuraClaimZap.sol

76:           crv = _crv;

77:           cvx = _cvx;

78:           cvxCrv = _cvxCrv;

79:           crvDepositWrapper = _crvDepositWrapper;

80:           cvxCrvRewards = _cvxCrvRewards;

81:           locker = _locker;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraClaimZap.sol#L76

File: contracts/AuraMerkleDrop.sol

62:           dao = _dao;

66:           penaltyForwarder = _penaltyForwarder;

79:           dao = _newDao;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L62

File: contracts/AuraBalRewardPool.sol

72:           rewardManager = _rewardManager;

74:           penaltyForwarder = _penaltyForwarder;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L72

File: contracts/AuraLocker.sol

159:          cvxCrv = _cvxCrv;

160:          cvxcrvStaking = _cvxCrvStaking;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L159

File: contracts/ClaimFeesHelper.sol

36:           voterProxy = _voterProxy;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ClaimFeesHelper.sol#L36

File: contracts/CrvDepositorWrapper.sol

114:          crvDeposit = _crvDeposit;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/CrvDepositorWrapper.sol#L114

File: contracts/Aura.sol

51:           vecrvProxy = _proxy;

85:           operator = newOperator;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L51

File: contracts/AuraStakingProxy.sol

74:           rewards = _rewards;

76:           crv = _crv;

77:           cvx = _cvx;

78:           cvxCrv = _cvxCrv;

79:           crvDepositorWrapper = _crvDepositorWrapper;

92:           crvDepositorWrapper = _crvDepositorWrapper;

101:          keeper = _keeper;

109:          pendingOwner = _po;

139:          rewards = _rewards;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L74

File: contracts/AuraVestedEscrow.sol

60:           admin = admin_;

79:           admin = _admin;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L60

File: contracts/BalLiquidityProvider.sol

38:           dao = _dao;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/BalLiquidityProvider.sol#L38

File: convex-platform/contracts/contracts/RewardHook.sol

33:           stash = _stash;

34:           rewardToken = _reward;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/RewardHook.sol#L33

File: convex-platform/contracts/contracts/PoolManagerProxy.sol

27:           pools = _pools;

28:           owner = _owner;

44:           owner = _owner;

49:           operator = _operator;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerProxy.sol#L27

File: convex-platform/contracts/contracts/DepositToken.sol

44:           operator =  _operator;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/DepositToken.sol#L44

File: convex-platform/contracts/contracts/cCrv.sol

40:           operator = _operator;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/cCrv.sol#L40

File: convex-platform/contracts/contracts/StashFactoryV2.sol

40:           operator = _operator;

41:           rewardFactory = _rewardFactory;

42:           proxyFactory = _proxyFactory;

48:           v1Implementation = _v1;

49:           v2Implementation = _v2;

50:           v3Implementation = _v3;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/StashFactoryV2.sol#L40

File: convex-platform/contracts/contracts/PoolManagerV3.sol

34:           pools = _pools;

35:           gaugeController = _gaugeController;

36:           operator = _operator;

42:           operator = _operator;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerV3.sol#L34

File: convex-platform/contracts/contracts/ArbitartorVault.sol

34:           depositor = _depositor;

39:           operator = _op;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ArbitartorVault.sol#L34

File: convex-platform/contracts/contracts/CrvDepositor.sol

54:           staker = _staker;

55:           minter = _minter;

56:           crvBpt = _crvBpt;

57:           escrow = _escrow;

59:           daoOperator = _daoOperator;

64:           feeManager = _feeManager;

69:           daoOperator = _daoOperator;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L54

File: convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol

40:           gaugeController = _gaugeController;

41:           pools = _pools;

42:           booster = _booster;

43:           owner = _owner; 

59:           owner = _owner;

64:           operator = _operator;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol#L40

File: convex-platform/contracts/contracts/TokenFactory.sol

36:           operator = _operator;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/TokenFactory.sol#L36

File: convex-platform/contracts/contracts/VoterProxy.sol

58:           mintr = _mintr; 

59:           crv = _crv;

60:           crvBpt = _crvBpt;

61:           escrow = _escrow;

62:           gaugeController = _gaugeController;

75:           owner = _owner;

85:           withdrawer = _withdrawer;

86:           rewardDeposit = _rewardDeposit;

96:           gaugeController = _gaugeController;

97:           mintr = _mintr;

109:          operator = _operator;

119:          depositor = _depositor;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L58

File: convex-platform/contracts/contracts/BoosterOwner.sol

77:           owner = _owner;

78:           poolManager = _poolManager;

79:           booster = _booster;

80:           stashFactory = _stashFactory;

81:           rescueStash = _rescueStash;

91:           pendingowner = _owner;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BoosterOwner.sol#L77

File: convex-platform/contracts/contracts/ExtraRewardStashV3.sol

59:         crv = _crv;

72:           operator = _operator;

73:           staker = _staker;

74:           gauge = _gauge;

75:           rewardFactory = _rFactory;

148:          rewardHook = _hook;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L59

File: convex-platform/contracts/contracts/BaseRewardPool.sol

109:          operator = operator_;

110:          rewardManager = rewardManager_;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L109

File: convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol

116:          operator = op_;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L116

File: convex-platform/contracts/contracts/BaseRewardPool4626.sol

39:           asset = lptoken_;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool4626.sol#L39

File: convex-platform/contracts/contracts/Booster.sol

103:          staker = _staker;

104:          minter = _minter;

105:          crv = _crv;

106:          voteOwnership = _voteOwnership;

107:          voteParameter = _voteParameter;

130:          owner = _owner;

140:          feeManager = _feeM;

150:          poolManager = _poolM;

183:          rewardArbitrator = _arb;

193:          voteDelegate = _voteDelegate;

296:          treasury = _treasury;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L103

File: convex-platform/contracts/contracts/RewardFactory.sol

42:           crv = _crv;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/RewardFactory.sol#L42

Non-critical Issues

1. Unused file

The file is never imported by any other file

There is 1 instance of this issue:

File: convex-platform/contracts/contracts/interfaces/BoringMath.sol   #1

0:    // SPDX-License-Identifier: MIT

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/interfaces/BoringMath.sol#L0

2. Call For/From variants instead of copying an pasting code

Duplicating code can lead to errors when a change is made to only one of the locations

There is 1 instance of this issue:

File: contracts/AuraBalRewardPool.sol   #1

/// @audit This function should call `stakeFor(msg.sender, _amount)` instead
120      function stake(uint256 _amount) public updateReward(msg.sender) returns (bool) {
121          require(_amount > 0, "RewardPool : Cannot stake 0");
122  
123          _totalSupply = _totalSupply.add(_amount);
124          _balances[msg.sender] = _balances[msg.sender].add(_amount);
125  
126          stakingToken.safeTransferFrom(msg.sender, address(this), _amount);
127          emit Staked(msg.sender, _amount);
128  
129          return true;
130:     }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L120-L130

3. Remove tautological code

There is 1 instance of this issue:

File: convex-platform/contracts/contracts/CrvDepositor.sol   #1

/// @audit `_lockIncentive` is always greater than or equal to zero, so the condition should be removed
75:          if(_lockIncentive >= 0 && _lockIncentive <= 30){

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L75

4. Adding a return statement when the function defines a named return variable, is redundant

There are 3 instances of this issue:

File: contracts/AuraLocker.sol   #1

678:          return amount;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L678

File: contracts/AuraLocker.sol   #2

778:          return userRewards;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L778

File: convex-platform/contracts/contracts/VoterProxy.sol   #3

196:          return balance;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L196

5. override function arguments that are unused should have the variable name removed or commented out to avoid compiler warnings

There is 1 instance of this issue:

File: convex-platform/contracts/contracts/BaseRewardPool4626.sol   #1

134:      function maxDeposit(address owner) public view virtual override returns (uint256) {

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool4626.sol#L134

6. public functions not called by the contract should be declared external instead

Contracts are allowed to override their parents' functions and change the visibility from external to public.

There are 18 instances of this issue:

File: contracts/ExtraRewardsDistributor.sol

117:      function getReward(address _account, address _token) public {

127       function getReward(
128           address _account,
129           address _token,
130:          uint256 _startIndex

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L117

File: contracts/AuraMerkleDrop.sol

114       function claim(
115           bytes32[] calldata _proof,
116           uint256 _amount,
117           bool _lock
118:      ) public returns (bool) {

149       function forwardPenalty() public {
150:          uint256 toForward = pendingPenalty;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L114-L118

File: contracts/AuraPenaltyForwarder.sol

47        function forward() public {
48:           require(block.timestamp > lastDistribution + distributionDelay, "!elapsed");

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraPenaltyForwarder.sol#L47-L48

File: contracts/AuraBalRewardPool.sol

138:      function stakeFor(address _for, uint256 _amount) public updateReward(_for) returns (bool) {

152       function withdraw(
153           uint256 amount,
154           bool claim,
155           bool lock
156:      ) public updateReward(msg.sender) returns (bool) {

195       function forwardPenalty() public {
196:          uint256 toForward = pendingPenalty;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L138

File: contracts/BalLiquidityProvider.sol

46:       function provideLiquidity(bytes32 _poolId, IVault.JoinPoolRequest memory _request) public {

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/BalLiquidityProvider.sol#L46

File: convex-platform/contracts/contracts/ConvexMasterChef.sol

96        function add(
97            uint256 _allocPoint,
98            IERC20 _lpToken,
99            IRewarder _rewarder,
100           bool _withUpdate
101:      ) public onlyOwner {

121       function set(
122           uint256 _pid,
123           uint256 _allocPoint,
124           IRewarder _rewarder,
125           bool _withUpdate,
126           bool _updateRewarder
127:      ) public onlyOwner {

209:      function deposit(uint256 _pid, uint256 _amount) public {

239:      function withdraw(uint256 _pid, uint256 _amount) public {

283:      function emergencyWithdraw(uint256 _pid) public {

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ConvexMasterChef.sol#L96-L101

File: convex-platform/contracts/contracts/VoterProxy.sol

151:      function isValidSignature(bytes32 _hash, bytes memory) public view returns (bytes4) {

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L151

File: convex-platform/contracts/contracts/BaseRewardPool.sol

191       function stakeFor(address _for, uint256 _amount)
192           public
193:          returns(bool)

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L191-L193

File: convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol

178       function withdraw(address _account, uint256 amount)
179           public
180:          updateReward(_account)

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L178-L180

File: convex-platform/contracts/contracts/Booster.sol

493:      function withdrawAll(uint256 _pid) public returns(bool){

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L493

7. type(uint<n>).max should be used instead of uint<n>(-1)

There are 8 instances of this issue:

File: convex-platform/contracts/contracts/interfaces/BoringMath.sol

25:           require(a <= uint128(-1), "BoringMath: uint128 Overflow");

30:           require(a <= uint64(-1), "BoringMath: uint64 Overflow");

35:           require(a <= uint32(-1), "BoringMath: uint32 Overflow");

40:           require(a <= uint40(-1), "BoringMath: uint40 Overflow");

45:           require(a <= uint112(-1), "BoringMath: uint112 Overflow");

50:           require(a <= uint224(-1), "BoringMath: uint224 Overflow");

55:           require(a <= uint208(-1), "BoringMath: uint208 Overflow");

60:           require(a <= uint216(-1), "BoringMath: uint216 Overflow");

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/interfaces/BoringMath.sol#L25

8. constants should be defined rather than using magic numbers

There are 47 instances of this issue:

File: contracts/AuraMinter.sol

/// @audit 156
23:           inflationProtectionTime = block.timestamp + 156 weeks;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMinter.sol#L23

File: contracts/ExtraRewardsDistributor.sol

/// @audit 1e20
97:           uint256 rPerT = (_amount * 1e20) / supply;

/// @audit 1e20
257:          return (balance * rewardData[_token][_epoch]) / 1e20;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L97

File: contracts/AuraBalRewardPool.sol

/// @audit 1e18
109:                  lastTimeRewardApplicable().sub(lastUpdateTime).mul(rewardRate).mul(1e18).div(totalSupply())

/// @audit 1e18
115:              balanceOf(account).mul(rewardPerToken().sub(userRewardPerTokenPaid[account])).div(1e18).add(

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L109

File: contracts/AuraLocker.sol

/// @audit 18
156:          _decimals = 18;

/// @audit 500
216:          require(_rate <= 500, "over max rate"); //max 5% per epoch

/// @audit 1e18
795:          return _balance.mul(_rewardPerToken(_rewardsToken).sub(data.rewardPerTokenPaid)).div(1e18).add(data.rewards);

/// @audit 1e18
811:                      .mul(1e18)

/// @audit 1000
839:          uint256 queuedRatio = currentAtNow.mul(1000).div(_rewards);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L156

File: contracts/CrvDepositorWrapper.sol

/// @audit 3600
60:           queries[0].secs = 3600; // last hour

/// @audit 1e18
73:           uint256 minOut = (((amount * 1e18) / bptOraclePrice) * minOutBps) / 10000;

/// @audit 10000
73:           uint256 minOut = (((amount * 1e18) / bptOraclePrice) * minOutBps) / 10000;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/CrvDepositorWrapper.sol#L60

File: contracts/Aura.sol

/// @audit 5
111:              uint256 reduction = totalCliffs.sub(cliff).mul(5).div(2).add(700);

/// @audit 700
111:              uint256 reduction = totalCliffs.sub(cliff).mul(5).div(2).add(700);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L111

File: contracts/AuraStakingProxy.sol

/// @audit 9000
90:           require(_outputBps > 9000 && _outputBps < 10000, "Invalid output bps");

/// @audit 10000
90:           require(_outputBps > 9000 && _outputBps < 10000, "Invalid output bps");

/// @audit 100
129:          require(_incentive <= 100, "too high");

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L90

File: contracts/AuraVestedEscrow.sol

/// @audit 16
66:           require(totalTime >= 16 weeks, "!short");

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L66

File: convex-platform/contracts/contracts/ConvexMasterChef.sol

/// @audit 1e12
171:                  cvxReward.mul(1e12).div(lpSupply)

/// @audit 1e12
174:          return user.amount.mul(accCvxPerShare).div(1e12).sub(user.rewardDebt);

/// @audit 1e12
203:              cvxReward.mul(1e12).div(lpSupply)

/// @audit 1e12
217:                  .div(1e12)

/// @audit 1e12
227:          user.rewardDebt = user.amount.mul(pool.accCvxPerShare).div(1e12);

/// @audit 1e12
244:          uint256 pending = user.amount.mul(pool.accCvxPerShare).div(1e12).sub(

/// @audit 1e12
249:          user.rewardDebt = user.amount.mul(pool.accCvxPerShare).div(1e12);

/// @audit 1e12
267:          uint256 pending = user.amount.mul(pool.accCvxPerShare).div(1e12).sub(

/// @audit 1e12
271:          user.rewardDebt = user.amount.mul(pool.accCvxPerShare).div(1e12);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ConvexMasterChef.sol#L171

File: convex-platform/contracts/contracts/StashFactoryV2.sol

/// @audit 3
58:           if(_stashVersion == uint256(3) && IsV3(_gauge)){

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/StashFactoryV2.sol#L58

File: convex-platform/contracts/contracts/PoolManagerV3.sol

/// @audit 3
57:           _addPool(_gauge,3);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerV3.sol#L57

File: convex-platform/contracts/contracts/CrvDepositor.sol

/// @audit 30
75:           if(_lockIncentive >= 0 && _lockIncentive <= 30){

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L75

File: convex-platform/contracts/contracts/VoterProxy.sol

/// @audit 0xffffffff
155:              return 0xffffffff;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L155

File: convex-platform/contracts/contracts/BaseRewardPool.sol

/// @audit 1e18
160:                      .mul(1e18)

/// @audit 1e18
169:                  .div(1e18)

/// @audit 1000
339:          uint256 queuedRatio = currentAtNow.mul(1000).div(_rewards);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L160

File: convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol

/// @audit 1e18
146:                      .mul(1e18)

/// @audit 1e18
155:                  .div(1e18)

/// @audit 1000
227:          uint256 queuedRatio = currentAtNow.mul(1000).div(_rewards);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L146

File: convex-platform/contracts/contracts/Booster.sol

/// @audit 825
26:       uint256 public lockIncentive = 825; //incentive to crv stakers

/// @audit 825
27:       uint256 public stakerIncentive = 825; //incentive to native token stakers

/// @audit 50
28:       uint256 public earmarkIncentive = 50; //incentive to users who spend gas to make calls

/// @audit 300
278:          require(_lockFees >= 300 && _lockFees <= 1500, "!lockFees");

/// @audit 1500
278:          require(_lockFees >= 300 && _lockFees <= 1500, "!lockFees");

/// @audit 300
279:          require(_stakerFees >= 300 && _stakerFees <= 1500, "!stakerFees");

/// @audit 1500
279:          require(_stakerFees >= 300 && _stakerFees <= 1500, "!stakerFees");

/// @audit 100
280:          require(_callerFees >= 10 && _callerFees <= 100, "!callerFees");

/// @audit 200
281:          require(_platform <= 200, "!platform");

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L26

9. Redundant cast

The type of the variable is the same as the type to which the variable is being cast

There are 2 instances of this issue:

File: contracts/AuraLocker.sol   #1

/// @audit uint256(_epoch)
654:          uint256 epochStart = uint256(epochs[0].date).add(uint256(_epoch).mul(rewardsDuration));

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L654

File: contracts/AuraLocker.sol   #2

/// @audit uint256(_epoch)
718:          uint256 epochStart = uint256(epochs[0].date).add(uint256(_epoch).mul(rewardsDuration));

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L718

10. Numeric values having to do with time should use time units for readability

There are units for seconds, minutes, hours, days, and weeks

There are 4 instances of this issue:

File: contracts/AuraLocker.sol   #1

/// @audit 86400
81:       uint256 public constant rewardsDuration = 86400 * 7;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L81

File: contracts/CrvDepositorWrapper.sol   #2

/// @audit 3600
60:           queries[0].secs = 3600; // last hour

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/CrvDepositorWrapper.sol#L60

File: convex-platform/contracts/contracts/CrvDepositor.sol   #3

/// @audit 86400
26:       uint256 private constant MAXTIME = 1 * 364 * 86400;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L26

File: convex-platform/contracts/contracts/CrvDepositor.sol   #4

/// @audit 86400
27:       uint256 private constant WEEK = 7 * 86400;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L27

11. Missing event for critical parameter change

There are 24 instances of this issue:

File: contracts/AuraStakingProxy.sol

88        function setCrvDepositorWrapper(address _crvDepositorWrapper, uint256 _outputBps) external {
89            require(msg.sender == owner, "!auth");
90            require(_outputBps > 9000 && _outputBps < 10000, "Invalid output bps");
91    
92            crvDepositorWrapper = _crvDepositorWrapper;
93            outputBps = _outputBps;
94:       }

99        function setKeeper(address _keeper) external {
100           require(msg.sender == owner, "!auth");
101           keeper = _keeper;
102:      }

107       function setPendingOwner(address _po) external {
108           require(msg.sender == owner, "!auth");
109           pendingOwner = _po;
110:      }

137       function setRewards(address _rewards) external {
138           require(msg.sender == owner, "!auth");
139           rewards = _rewards;
140:      }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L88-L94

File: contracts/AuraVestedEscrow.sol

77        function setAdmin(address _admin) external {
78            require(msg.sender == admin, "!auth");
79            admin = _admin;
80:       }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L77-L80

File: convex-platform/contracts/contracts/PoolManagerProxy.sol

43        function setOwner(address _owner) external onlyOwner{
44            owner = _owner;
45:       }

48        function setOperator(address _operator) external onlyOwner{
49            operator = _operator;
50:       }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerProxy.sol#L43-L45

File: convex-platform/contracts/contracts/cCrv.sol

38        function setOperator(address _operator) external {
39            require(msg.sender == operator, "!auth");
40            operator = _operator;
41:       }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/cCrv.sol#L38-L41

File: convex-platform/contracts/contracts/StashFactoryV2.sol

45        function setImplementation(address _v1, address _v2, address _v3) external{
46            require(msg.sender == IDeposit(operator).owner(),"!auth");
47    
48            v1Implementation = _v1;
49            v2Implementation = _v2;
50            v3Implementation = _v3;
51:       }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/StashFactoryV2.sol#L45-L51

File: convex-platform/contracts/contracts/PoolManagerV3.sol

40        function setOperator(address _operator) external {
41            require(msg.sender == operator, "!auth");
42            operator = _operator;
43:       }

48        function setProtectPool(bool _protectAddPool) external {
49            require(msg.sender == operator, "!auth");
50            protectAddPool = _protectAddPool;
51:       }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerV3.sol#L40-L43

File: convex-platform/contracts/contracts/ArbitartorVault.sol

37        function setOperator(address _op) external {
38            require(msg.sender == operator, "!auth");
39            operator = _op;
40:       }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ArbitartorVault.sol#L37-L40

File: convex-platform/contracts/contracts/CrvDepositor.sol

62        function setFeeManager(address _feeManager) external {
63            require(msg.sender == feeManager, "!auth");
64            feeManager = _feeManager;
65:       }

67        function setDaoOperator(address _daoOperator) external {
68            require(msg.sender == daoOperator, "!auth");
69            daoOperator = _daoOperator;
70:       }

72        function setFees(uint256 _lockIncentive) external{
73            require(msg.sender==feeManager, "!auth");
74    
75            if(_lockIncentive >= 0 && _lockIncentive <= 30){
76                lockIncentive = _lockIncentive;
77           }
78:       }

80        function setCooldown(bool _cooldown) external {
81          require(msg.sender == daoOperator, "!auth");
82          cooldown = _cooldown;
83:       }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L62-L65

File: convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol

58        function setOwner(address _owner) external onlyOwner{
59            owner = _owner;
60:       }

63        function setOperator(address _operator) external onlyOwner{
64            operator = _operator;
65:       }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol#L58-L60

File: convex-platform/contracts/contracts/VoterProxy.sol

73        function setOwner(address _owner) external {
74            require(msg.sender == owner, "!auth");
75            owner = _owner;
76:       }

83        function setRewardDeposit(address _withdrawer, address _rewardDeposit) external {
84            require(msg.sender == owner, "!auth");
85            withdrawer = _withdrawer;
86            rewardDeposit = _rewardDeposit;
87:       }

94        function setSystemConfig(address _gaugeController, address _mintr) external returns (bool) {
95            require(msg.sender == owner, "!auth");
96            gaugeController = _gaugeController;
97            mintr = _mintr;
98            return true;
99:       }

105       function setOperator(address _operator) external {
106           require(msg.sender == owner, "!auth");
107           require(operator == address(0) || IDeposit(operator).isShutdown() == true, "needs shutdown");
108           
109           operator = _operator;
110:      }

116       function setDepositor(address _depositor) external {
117           require(msg.sender == owner, "!auth");
118   
119           depositor = _depositor;
120:      }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L73-L76

File: convex-platform/contracts/contracts/ExtraRewardStashV3.sol

145       function setRewardHook(address _hook) external{
146           //owner of booster can set reward hook
147           require(IDeposit(operator).owner() == msg.sender, "!owner");
148           rewardHook = _hook;
149:      }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L145-L149

12. Use a more recent version of solidity

Use a solidity version of at least 0.8.12 to get string.concat() to be used instead of abi.encodePacked(<str>,<str>)

There is 1 instance of this issue:

File: contracts/AuraMerkleDrop.sol   #1

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L2

13. Use a more recent version of solidity

Use a solidity version of at least 0.8.13 to get the ability to use using for with a list of free functions

There are 26 instances of this issue:

File: contracts/AuraClaimZap.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraClaimZap.sol#L2

File: contracts/ExtraRewardsDistributor.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L2

File: contracts/AuraPenaltyForwarder.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraPenaltyForwarder.sol#L2

File: contracts/AuraBalRewardPool.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L2

File: contracts/AuraLocker.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L2

File: contracts/CrvDepositorWrapper.sol

2:    pragma solidity 0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/CrvDepositorWrapper.sol#L2

File: contracts/Aura.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L2

File: contracts/AuraStakingProxy.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L2

File: contracts/AuraVestedEscrow.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L2

File: contracts/BalLiquidityProvider.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/BalLiquidityProvider.sol#L2

File: convex-platform/contracts/contracts/ConvexMasterChef.sol

3:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ConvexMasterChef.sol#L3

File: convex-platform/contracts/contracts/RewardHook.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/RewardHook.sol#L2

File: convex-platform/contracts/contracts/cCrv.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/cCrv.sol#L2

File: convex-platform/contracts/contracts/StashFactoryV2.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/StashFactoryV2.sol#L2

File: convex-platform/contracts/contracts/ArbitartorVault.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ArbitartorVault.sol#L2

File: convex-platform/contracts/contracts/CrvDepositor.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L2

File: convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol#L2

File: convex-platform/contracts/contracts/TokenFactory.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/TokenFactory.sol#L2

File: convex-platform/contracts/contracts/VoterProxy.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L2

File: convex-platform/contracts/contracts/interfaces/IRewarder.sol

3:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/interfaces/IRewarder.sol#L3

File: convex-platform/contracts/contracts/ExtraRewardStashV3.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L2

File: convex-platform/contracts/contracts/BaseRewardPool.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L2

File: convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L2

File: convex-platform/contracts/contracts/BaseRewardPool4626.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool4626.sol#L2

File: convex-platform/contracts/contracts/Booster.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L2

File: convex-platform/contracts/contracts/RewardFactory.sol

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/RewardFactory.sol#L2

14. Use a more recent version of solidity

Use a solidity version of at least 0.8.4 to get bytes.concat() instead of abi.encodePacked(<bytes>,<bytes>)
Use a solidity version of at least 0.8.12 to get string.concat() instead of abi.encodePacked(<str>,<str>)

There is 1 instance of this issue:

File: convex-platform/contracts/contracts/DepositToken.sol   #1

2:    pragma solidity 0.6.12;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/DepositToken.sol#L2

15. Constant redefined elsewhere

Consider defining in only one contract so that values cannot become out of sync when only one location is updated. A cheap way to store constants in a single location is to create an internal constant in a library. If the variable is a local cache of another contract's value, consider making the cache variable internal or private, which will require external users to query the contract with the source of truth, so that callers don't get out of sync.

There are 38 instances of this issue:

File: contracts/AuraMerkleDrop.sol

/// @audit seen in /var/tmp/hh/contracts/AuraMinter.sol 
25:       IERC20 public immutable aura;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L25

File: contracts/AuraBalRewardPool.sol

/// @audit seen in /var/tmp/hh/contracts/ExtraRewardsDistributor.sol 
33:       IAuraLocker public immutable auraLocker;

/// @audit seen in /var/tmp/hh/contracts/AuraMerkleDrop.sol 
34:       address public immutable penaltyForwarder;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L33

File: contracts/AuraLocker.sol

/// @audit seen in /var/tmp/hh/contracts/AuraBalRewardPool.sol 
104:      IERC20 public immutable stakingToken;

/// @audit seen in /var/tmp/hh/contracts/AuraClaimZap.sol 
105:      address public immutable cvxCrv;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L104

File: contracts/AuraStakingProxy.sol

/// @audit seen in /var/tmp/hh/contracts/AuraClaimZap.sol 
38:       address public immutable crv;

/// @audit seen in /var/tmp/hh/contracts/AuraClaimZap.sol 
39:       address public immutable cvx;

/// @audit seen in /var/tmp/hh/contracts/AuraLocker.sol 
40:       address public immutable cvxCrv;

/// @audit seen in /var/tmp/hh/contracts/AuraLocker.sol 
45:       uint256 public constant denominator = 10000;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L38

File: contracts/AuraVestedEscrow.sol

/// @audit seen in /var/tmp/hh/contracts/AuraBalRewardPool.sol 
24:       IERC20 public immutable rewardToken;

/// @audit seen in /var/tmp/hh/contracts/AuraBalRewardPool.sol 
29:       uint256 public immutable startTime;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L24

File: convex-platform/contracts/contracts/ConvexMasterChef.sol

/// @audit seen in /var/tmp/hh/contracts/AuraStakingProxy.sol 
52:       IERC20 public immutable cvx;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ConvexMasterChef.sol#L52

File: convex-platform/contracts/contracts/RewardHook.sol

/// @audit seen in /var/tmp/hh/contracts/AuraVestedEscrow.sol 
25:       address public immutable rewardToken;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/RewardHook.sol#L25

File: convex-platform/contracts/contracts/PoolManagerV3.sol

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/PoolManagerProxy.sol 
18:       address public immutable pools;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerV3.sol#L18

File: convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/PoolManagerV3.sol 
19:       address public immutable gaugeController;

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/PoolManagerV3.sol 
20:       address public immutable pools;

/// @audit seen in /var/tmp/hh/contracts/ClaimFeesHelper.sol 
21:       address public immutable booster;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol#L19

File: convex-platform/contracts/contracts/TokenFactory.sol

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/StashFactoryV2.sol 
20:       address public immutable operator;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/TokenFactory.sol#L20

File: convex-platform/contracts/contracts/VoterProxy.sol

/// @audit seen in /var/tmp/hh/contracts/AuraStakingProxy.sol 
23:       address public immutable crv;

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/CrvDepositor.sol 
24:       address public immutable crvBpt;

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/CrvDepositor.sol 
26:       address public immutable escrow;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L23

File: convex-platform/contracts/contracts/BoosterOwner.sol

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol 
44:       address public immutable booster;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BoosterOwner.sol#L44

File: convex-platform/contracts/contracts/ExtraRewardStashV3.sol

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/VoterProxy.sol 
30:       address public immutable crv;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L30

File: convex-platform/contracts/contracts/BaseRewardPool.sol

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/RewardHook.sol 
63:       IERC20 public immutable rewardToken;

/// @audit seen in /var/tmp/hh/contracts/AuraLocker.sol 
64:       IERC20 public immutable stakingToken;

/// @audit seen in /var/tmp/hh/contracts/AuraBalRewardPool.sol 
65:       uint256 public constant duration = 7 days;

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/TokenFactory.sol 
67:       address public immutable operator;

/// @audit seen in /var/tmp/hh/contracts/AuraBalRewardPool.sol 
68:       address public immutable rewardManager;

/// @audit seen in /var/tmp/hh/contracts/AuraLocker.sol 
78:       uint256 public constant newRewardRatio = 830;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L63

File: convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/BaseRewardPool.sol 
84:       IERC20 public immutable rewardToken;

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/BaseRewardPool.sol 
85:       uint256 public constant duration = 7 days;

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/BaseRewardPool.sol 
87:       address public immutable operator;

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/BaseRewardPool.sol 
96:       uint256 public constant newRewardRatio = 830;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L84

File: convex-platform/contracts/contracts/Booster.sol

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/ExtraRewardStashV3.sol 
22:       address public immutable crv;

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/CrvDepositor.sol 
31:       uint256 public constant FEE_DENOMINATOR = 10000;

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/CrvDepositor.sol 
36:       address public immutable staker;

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/CrvDepositor.sol 
37:       address public immutable minter;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L22

File: convex-platform/contracts/contracts/RewardFactory.sol

/// @audit seen in /var/tmp/hh/convex-platform/contracts/contracts/Booster.sol 
25:       address public immutable crv;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/RewardFactory.sol#L25

16. Inconsistent spacing in comments

Some lines use // x and some use //x. The instances below point out the usages that don't follow the majority, within each file

There are 80 instances of this issue:

File: contracts/AuraClaimZap.sol

155:          // claim others/deposit/lock/stake

170:      // prettier-ignore

171:      function _claimExtras( // solhint-disable-line

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraClaimZap.sol#L155

File: contracts/ExtraRewardsDistributor.sol

19:       // token -> epoch -> amount

21:       // token -> epochList

23:       // token -> account -> last claimed epoch index

92:           // Pull before reward accrual

219:          // e.g. tokenEpochs = 31, 21

222:          // e.g. epochIndex = 0

224:          // e.g. epochIndex = 27 > 0 ? 27 : 0 = 27

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L19

File: contracts/AuraLocker.sol

61:           uint32 date; //epoch start date

214:      //set kick incentive

216:          require(_rate <= 500, "over max rate"); //max 5% per epoch

217:          require(_delay >= 2, "min delay"); //minimum 2 epochs of grace

224:      //shutdown the contract. unstake all tokens. release all locks

250:          //pull tokens

253:          //lock

257:      //lock tokens

264:          //must try check pointing epoch first

267:          //add user balances

271:          //add to total supplies

274:          //add user lock records or add to current

291:          //update epoch supply, epoch checkpointed above so safe to add to latest

325:      //insert a new epoch if needed. fill in any gaps

330:          //first epoch add in constructor, no need to check 0 length

331:          //check to add

333:              //fill any epoch gaps until the next epoch date.

347:          //allow kick after grace period of 'kickRewardEpochDelay'

390:              //if time is beyond last lock, can just bundle everything together

393:              //dont delete, just set next index

396:              //check for kick reward

397:              //this wont have the exact reward rate that you would get if looped through

398:              //but this section is supposed to be for quick and easy low gas processing of all locks

399:              //we'll assume that if the reward was good enough someone would have processed at an earlier epoch

407:              //use a processed index(nextUnlockIndex) to not loop as much

408:              //deleting does not change array length

411:                  //unlock time must be less or equal to time

414:                  //add to cumulative amounts

417:                  //check for kick reward

418:                  //each epoch over due increases reward

425:                  //set next unlock index

428:              //update next unlock index

433:          //update user balances and total supplies

437:          //checkpoint the delegatee

442:          //send process incentive

444:              //reduce return amount by the kick reward

447:              //transfer reward

452:          //relock or return to user

661:          //need to add up since the range could be in the middle somewhere

662:          //traverse inversely to make more current queries more gas efficient

666:              //lock epoch must be less or equal to the epoch we're basing from.

667:              //also not include the current epoch

672:                      //stop now as no futher checks matter

835:          //et = now - (finish-duration)

837:          //current at now: rewardRate * elapsedTime

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L61

File: contracts/AuraStakingProxy.sol

170:          // If keeper enabled, require

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L170

File: convex-platform/contracts/contracts/ConvexMasterChef.sol

51:       //cvx

201:          //cvx.mint(address(this), cvxReward);

229:          //extra rewards

252:          //extra rewards

273:          //extra rewards

291:          //extra rewards

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ConvexMasterChef.sol#L51

File: convex-platform/contracts/contracts/PoolManagerProxy.sol

52:       // sealed to be immutable

53:       // function revertControl() external{

54:       // }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerProxy.sol#L52

File: convex-platform/contracts/contracts/BoosterOwner.sol

193:      // --- Helper functions for other systems, could also just use execute() ---

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BoosterOwner.sol#L193

File: convex-platform/contracts/contracts/ExtraRewardStashV3.sol

138:      // (any new incentive that is not directly on curve gauges)

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L138

File: convex-platform/contracts/contracts/BaseRewardPool.sol

10:    _\ \ / // // _ \/ __// _ \/ -_)/ __// / \ \ /

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L10

File: convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol

10:    _\ \ / // // _ \/ __// _ \/ -_)/ __// / \ \ /

170:         // require(amount > 0, 'VirtualDepositRewardPool: Cannot stake 0');

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L10

File: convex-platform/contracts/contracts/Booster.sol

123:      /// SETTER SECTION ///

228:              // Distributed directly

301:      /// END SETTER SECTION ///

340:          //   voteproxy so it can grab the incentive tokens off the contract after claiming rewards

341:          //   reward factory so that stashes can make new extra reward contracts if a new incentive is added to the gauge

463:          // if shutdown tokens will be in this contract

594:              // LockIncentive = cvxCrv stakers (currently 10%)

596:              // StakerIncentive = cvx stakers (currently 5%)

598:              // CallIncentive = caller of this contract (currently 1%)

601:              // Treasury = vlCVX (currently 1%)

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L123

17. Non-library/interface files should use fixed compiler versions, not floating ones

There are 12 instances of this issue:

File: contracts/AuraClaimZap.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraClaimZap.sol#L2

File: contracts/AuraMinter.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMinter.sol#L2

File: contracts/ExtraRewardsDistributor.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L2

File: contracts/AuraMerkleDrop.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L2

File: contracts/AuraPenaltyForwarder.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraPenaltyForwarder.sol#L2

File: contracts/AuraBalRewardPool.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L2

File: contracts/AuraLocker.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L2

File: contracts/ClaimFeesHelper.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ClaimFeesHelper.sol#L2

File: contracts/Aura.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L2

File: contracts/AuraStakingProxy.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L2

File: contracts/AuraVestedEscrow.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L2

File: contracts/BalLiquidityProvider.sol

2:    pragma solidity ^0.8.11;

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/BalLiquidityProvider.sol#L2

18. Typos

There are 29 instances of this issue:

File: contracts/AuraClaimZap.sol

/// @audit crvCvx
121:       * @param depositCrvMaxAmount   The max amount of CRV to deposit if converting to crvCvx

/// @audit upto
195:          //lock upto given amount of crv and stake

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraClaimZap.sol#L121

File: contracts/ExtraRewardsDistributor.sol

/// @audit constructoor
33:        * @dev Simple constructoor

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L33

File: contracts/AuraBalRewardPool.sol

/// @audit constructoor
55:        * @dev Simple constructoor

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L55

File: contracts/AuraLocker.sol

/// @audit dont
393:              //dont delete, just set next index

/// @audit futher
672:                      //stop now as no futher checks matter

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L393

File: contracts/Aura.sol

/// @audit dont
95:               // dont error just return. if a shutdown happens, rewards on old system

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L95

File: contracts/AuraStakingProxy.sol

/// @audit convers
24:    * @notice  Receives CRV from the Booster as overall reward, then convers to cvxCRV and distributes to vlCVX holders.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L24

File: contracts/AuraVestedEscrow.sol

/// @audit Arrary
94:        * @param _amount     Arrary of amount of rewardTokens to vest

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L94

File: convex-platform/contracts/contracts/ConvexMasterChef.sol

/// @audit muliplier
55:       // Bonus muliplier for early cvx makers.

/// @audit vairables
177:      // Update reward vairables for all pools. Be careful of gas spending!

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ConvexMasterChef.sol#L55

File: convex-platform/contracts/contracts/CrvDepositor.sol

/// @audit ammount
117:          //increase ammount

/// @audit isnt
163:       *         the cvx reward contract isnt costly to claim rewards.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L117

File: convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol

/// @audit Executoor
32:        * @param _owner Executoor

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/PoolManagerSecondaryProxy.sol#L32

File: convex-platform/contracts/contracts/interfaces/IERC4626.sol

/// @audit redeemption
114:      /// the effects of their redeemption at the current block,

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/interfaces/IERC4626.sol#L114

File: convex-platform/contracts/contracts/ExtraRewardStashV3.sol

/// @audit Guage
19:    *            On the Curve Guage. This tells the Gauge where to send rewards. The Booster crafts the calldata for this

/// @audit dont
48:       //use mapping+array so that we dont have to loop check each time setToken is called

/// @audit Guage
92:        *          Guage rewards are sent directly to this stash even though the Curve method claim_rewards

/// @audit guages
93:        *          is being called by the VoterProxy. This is because Curves guages have the ability to redirect

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L19

File: convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol

/// @audit cxvCRV
78:    *          which tracks the virtual balance of cxvCRV stakers and distributes their share

/// @audit diributes
163:       *          actually hold any staked tokens it just diributes reward tokens

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L78

File: convex-platform/contracts/contracts/BaseRewardPool4626.sol

/// @audit redeemption
193:       * the effects of their redeemption at the current block,

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool4626.sol#L193

File: convex-platform/contracts/contracts/Booster.sol

/// @audit vcxCrv
215:       * @dev    This creates a secondary (VirtualRewardsPool) rewards contract for the vcxCrv staking contract

/// @audit ot
372:       * @notice Shuts down the WHOLE SYSTEM by withdrawing all the LP tokens ot here and then allowing

/// @audit seperate
411:          //some gauges claim rewards when depositing, stash them in a seperate contract until next claim

/// @audit seperate
468:          //some gauges claim rewards when withdrawing, stash them in a seperate contract until next claim

/// @audit Repsonsible
569:       *         Repsonsible for collecting the crv from gauge, and then redistributing to the correct place.

/// @audit Repsonsible
631:       *         Repsonsible for collecting the crv from gauge, and then redistributing to the correct place.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L215

File: convex-platform/contracts/contracts/RewardFactory.sol

/// @audit guages
18:    *          - BaseRewardPool handles CRV rewards for guages

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/RewardFactory.sol#L18

19. File is missing NatSpec

There are 6 instances of this issue:

File: contracts/Interfaces.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Interfaces.sol

File: convex-platform/contracts/contracts/Interfaces.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Interfaces.sol

File: convex-platform/contracts/contracts/interfaces/IGaugeController.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/interfaces/IGaugeController.sol

File: convex-platform/contracts/contracts/interfaces/IProxyFactory.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/interfaces/IProxyFactory.sol

File: convex-platform/contracts/contracts/interfaces/IRewardHook.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/interfaces/IRewardHook.sol

File: convex-platform/contracts/contracts/interfaces/IRewarder.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/interfaces/IRewarder.sol

20. NatSpec is incomplete

There are 21 instances of this issue:

File: contracts/ExtraRewardsDistributor.sol

/// @audit Missing: '@return'
185        * @param _token    Reward token address
186        */
187:      function claimableRewards(address _account, address _token) external view returns (uint256) {

/// @audit Missing: '@return'
196        * @param _epoch       The epoch to check for rewards
197        */
198       function claimableRewardsAtEpoch(
199           address _account,
200           address _token,
201           uint256 _epoch
202:      ) external view returns (uint256) {

/// @audit Missing: '@return'
211        * @param _startIndex  Index of rewardEpochs[_token] to start checking for rewards from
212        */
213       function _allClaimableRewards(
214           address _account,
215           address _token,
216           uint256 _startIndex
217:      ) internal view returns (uint256, uint256) {

/// @audit Missing: '@return'
248        * @param _epoch       The epoch to check for rewards
249        */
250       function _claimableRewards(
251           address _account,
252           address _token,
253           uint256 _epoch
254:      ) internal view returns (uint256) {

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L185-L187

File: contracts/AuraBalRewardPool.sol

/// @audit Missing: '@param _startDelay'
54        /**
55         * @dev Simple constructoor
56         * @param _stakingToken  Pool LP token
57         * @param _rewardToken   $AURA
58         * @param _rewardManager Depositor
59         * @param _auraLocker    $AURA lock contract
60         * @param _penaltyForwarder Address to which penalties are sent
61         */
62        constructor(
63            address _stakingToken,
64            address _rewardToken,
65            address _rewardManager,
66            address _auraLocker,
67            address _penaltyForwarder,
68:           uint256 _startDelay

/// @audit Missing: '@return'
174        * @param _lock Lock the rewards? If false, takes a 20% haircut
175        */
176:      function getReward(bool _lock) public updateReward(msg.sender) returns (bool) {

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L54-L68

File: contracts/AuraVestedEscrow.sol

/// @audit Missing: '@return'
136        * @param _recipient Recipient to lookup
137        */
138:      function available(address _recipient) public view returns (uint256) {

/// @audit Missing: '@return'
145        * @param _recipient Recipient to lookup
146        */
147:      function remaining(address _recipient) public view returns (uint256) {

/// @audit Missing: '@return'
155        * @param _time       Timestamp to check vesting amount for
156        */
157:      function _totalVestedOf(address _recipient, uint256 _time) internal view returns (uint256 total) {

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L136-L138

File: convex-platform/contracts/contracts/CrvDepositor.sol

/// @audit Missing: '@param _daoOperator'
41        /**
42         * @param _staker   CVX VoterProxy (0x989AEb4d175e16225E39E87d0D97A3360524AD80)
43         * @param _minter   cvxCRV token (0x62B9c7356A2Dc64a1969e19C23e4f579F9810Aa7)
44         * @param _crvBpt   crvBPT for veCRV deposits
45         * @param _escrow   CRV VotingEscrow (0x5f3b5DfEb7B28CDbD7FAba78963EE202a494e2A2)
46         */
47        constructor(
48            address _staker,
49            address _minter,
50            address _crvBpt,
51            address _escrow,
52:           address _daoOperator

/// @audit Missing: '@param to'
159       /**
160        * @notice Deposit crvBpt for cvxCrv
161        * @dev    Can locking immediately or defer locking to someone else by paying a fee.
162        *         while users can choose to lock or defer, this is mostly in place so that
163        *         the cvx reward contract isnt costly to claim rewards.
164        * @param _amount        Units of CRV to deposit
165        * @param _lock          Lock now? or pay ~1% to the locker
166        * @param _stakeAddress  Stake in cvxCrv staking?
167        */
168:      function depositFor(address to, uint256 _amount, bool _lock, address _stakeAddress) public {

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L41-L52

File: convex-platform/contracts/contracts/VoterProxy.sol

/// @audit Missing: '@return'
92         * @param _mintr Token minter address for claiming rewards
93         */
94:       function setSystemConfig(address _gaugeController, address _mintr) external returns (bool) {

/// @audit Missing: '@param bytes'
143       /**
144        * @notice  Verifies that the hash is valid
145        * @dev     Snapshot Hub will call this function when a vote is submitted using
146        *          snapshot.js on behalf of this contract. Snapshot Hub will call this
147        *          function with the hash and the signature of the vote that was cast.
148        * @param _hash Hash of the message that was sent to Snapshot Hub to cast a vote
149        * @return EIP1271 magic value if the signature is value 
150        */
151:      function isValidSignature(bytes32 _hash, bytes memory) public view returns (bytes4) {

/// @audit Missing: '@return'
164        * @param _gauge  Gauge contract to deposit to 
165        */ 
166:      function deposit(address _token, address _gauge) external returns(bool){

/// @audit Missing: '@return'
204        * @param _amount   Amount of LP token to withdraw
205        */
206:      function withdraw(address _token, address _gauge, uint256 _amount) public returns(bool){

/// @audit Missing: '@return'
221        * @param _gauge  Gauge for this LP token
222        */
223:      function withdrawAll(address _token, address _gauge) external returns(bool){

/// @audit Missing: '@return'
240        * @param _unlockTime Timestamp to unlock (max is 4 years)
241        */
242:      function createLock(uint256 _value, uint256 _unlockTime) external returns(bool){

/// @audit Missing: '@return'
263        * @param _value Timestamp to increase locking to
264        */
265:      function increaseTime(uint256 _value) external returns(bool){

/// @audit Missing: '@return'
331        * @param _token            LP token to claim fees for
332        */
333:      function claimFees(address _distroContract, address _token) external returns (uint256){

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L92-L94

File: convex-platform/contracts/contracts/BoosterOwner.sol

/// @audit Missing: '@param _seal'
62        /**
63         * @param _owner         Owner (e.g. CVX multisig)
64         * @param _poolManager   PoolManager (e.g. PoolManagerSecondaryProxy or 0xD20904e5916113D11414F083229e9C8C6F91D1e1)
65         * @param _booster       The booster (e.g. 0xF403C135812408BFbE8713b5A23a04b3D48AAE31)
66         * @param _stashFactory  Creates stashes (e.g. 0x884da067B66677e72530df91eabb6e3CE69c2bE4)
67         * @param _rescueStash   Rescues tokens for subsequent vlCVX redistribution (e.g. 0x01140351069af98416cC08b16424b9E765436531)
68         */
69        constructor(
70            address _owner,
71            address _poolManager,
72            address _booster,
73            address _stashFactory,
74            address _rescueStash,
75:           bool _seal

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BoosterOwner.sol#L62-L75

File: convex-platform/contracts/contracts/BaseRewardPool.sol

/// @audit Missing: '@return'
283        * @param _claimExtras Get the child rewards too?
284        */
285:      function getReward(address _account, bool _claimExtras) public updateReward(_account) returns(bool){

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L283-L285

21. Event is missing indexed fields

Each event should use three indexed fields if there are three or more fields

There are 66 instances of this issue:

File: contracts/ExtraRewardsDistributor.sol

28:       event RewardAdded(address indexed token, uint256 indexed epoch, uint256 reward);

29:       event RewardPaid(address indexed user, address indexed token, uint256 reward, uint256 index);

30:       event RewardForfeited(address indexed user, address indexed token, uint256 index);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L28

File: contracts/AuraMerkleDrop.sol

36:       event DaoSet(address newDao);

37:       event RootSet(bytes32 newRoot);

39:       event ExpiredWithdrawn(uint256 amount);

40:       event LockerSet(address newLocker);

41:       event Claimed(address addr, uint256 amt, bool locked);

42:       event PenaltyForwarded(uint256 amount);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L36

File: contracts/AuraPenaltyForwarder.sol

22:       event Forwarded(uint256 amount);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraPenaltyForwarder.sol#L22

File: contracts/AuraBalRewardPool.sol

48:       event RewardAdded(uint256 reward);

49:       event Staked(address indexed user, uint256 amount);

50:       event Withdrawn(address indexed user, uint256 amount);

51:       event RewardPaid(address indexed user, uint256 reward, bool locked);

52:       event PenaltyForwarded(uint256 amount);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L48

File: contracts/AuraLocker.sol

126:      event Recovered(address _token, uint256 _amount);

127:      event RewardPaid(address indexed _user, address indexed _rewardsToken, uint256 _reward);

128:      event Staked(address indexed _user, uint256 _paidAmount, uint256 _lockedAmount);

129:      event Withdrawn(address indexed _user, uint256 _amount, bool _relocked);

130:      event KickReward(address indexed _user, address indexed _kicked, uint256 _reward);

131:      event RewardAdded(address indexed _token, uint256 _reward);

133:      event KickIncentiveSet(uint256 rate, uint256 delay);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L126

File: contracts/AuraStakingProxy.sol

53:       event RewardsDistributed(address indexed token, uint256 amount);

54:       event CallIncentiveChanged(uint256 incentive);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L53

File: contracts/AuraVestedEscrow.sol

38:       event Funded(address indexed recipient, uint256 reward);

40:       event Claim(address indexed user, uint256 amount, bool locked);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L38

File: contracts/BalLiquidityProvider.sol

24:       event LiquidityProvided(uint256[] input, uint256 output);

25:       event MinPairAmountChanged(uint256 oldMinPairAmount, uint256 newMinPairAmount);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/BalLiquidityProvider.sol#L24

File: convex-platform/contracts/contracts/ConvexMasterChef.sol

69:       event Deposit(address indexed user, uint256 indexed pid, uint256 amount);

70:       event Withdraw(address indexed user, uint256 indexed pid, uint256 amount);

71:       event RewardPaid(address indexed user,  uint256 indexed pid, uint256 amount);

72        event EmergencyWithdraw(
73            address indexed user,
74            uint256 indexed pid,
75            uint256 amount
76:       );

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ConvexMasterChef.sol#L69

File: convex-platform/contracts/contracts/StashFactoryV2.sol

31:       event StashCreated(address stash, uint256 stashVersion);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/StashFactoryV2.sol#L31

File: convex-platform/contracts/contracts/TokenFactory.sol

24:       event DepositTokenCreated(address token, address lpToken);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/TokenFactory.sol#L24

File: convex-platform/contracts/contracts/VoterProxy.sol

41:       event VoteSet(bytes32 hash, bool valid);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L41

File: convex-platform/contracts/contracts/BoosterOwner.sol

56:       event ShutdownStarted(uint256 executableTimestamp);

58:       event TransferOwnership(address pendingOwner);

59:       event AcceptedOwnership(address newOwner);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BoosterOwner.sol#L56

File: convex-platform/contracts/contracts/interfaces/IERC4626.sol

15        event Deposit(
16            address indexed sender,
17            address indexed receiver,
18            uint256 assets,
19            uint256 shares
20:       );

24        event Withdraw(
25            address indexed sender,
26            address indexed receiver,
27            uint256 assets,
28            uint256 shares
29:       );

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/interfaces/IERC4626.sol#L15-L20

File: convex-platform/contracts/contracts/BaseRewardPool.sol

86:       event RewardAdded(uint256 reward);

87:       event Staked(address indexed user, uint256 amount);

88:       event Withdrawn(address indexed user, uint256 amount);

89:       event RewardPaid(address indexed user, uint256 reward);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L86

File: convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol

100:      event RewardAdded(uint256 reward);

101:      event Staked(address indexed user, uint256 amount);

102:      event Withdrawn(address indexed user, uint256 amount);

103:      event RewardPaid(address indexed user, uint256 reward);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L100

File: convex-platform/contracts/contracts/Booster.sol

69:       event Deposited(address indexed user, uint256 indexed poolid, uint256 amount);

70:       event Withdrawn(address indexed user, uint256 indexed poolid, uint256 amount);

72:       event PoolAdded(address lpToken, address gauge, address token, address rewardPool, address stash, uint256 pid);

73:       event PoolShutdown(uint256 poolId);

75:       event OwnerUpdated(address newOwner);

76:       event FeeManagerUpdated(address newFeeManager);

77:       event PoolManagerUpdated(address newPoolManager);

78:       event FactoriesUpdated(address rewardFactory, address stashFactory, address tokenFactory);

79:       event ArbitratorUpdated(address newArbitrator);

80:       event VoteDelegateUpdated(address newVoteDelegate);

81:       event RewardContractsUpdated(address lockRewards, address stakerRewards);

82:       event FeesUpdated(uint256 lockIncentive, uint256 stakerIncentive, uint256 earmarkIncentive, uint256 platformFee);

83:       event TreasuryUpdated(address newTreasury);

84:       event FeeInfoUpdated(address feeDistro, address lockFees, address feeToken);

85:       event FeeInfoChanged(address feeDistro, bool active);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L69

File: convex-platform/contracts/contracts/RewardFactory.sol

31:       event RewardPoolCreated(address rewardPool, uint256 _pid, address depositToken);

32:       event TokenRewardPoolCreated(address rewardPool, address token, address mainRewards, address operator);

34:       event AccessChanged(address stash, bool hasAccess);

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/RewardFactory.sol#L31
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 23, 2022
code423n4 added a commit that referenced this issue May 23, 2022
@code423n4
IllIllI issue #173
ab85608
@itsmetechjay
Copy link
Contributor

Warden created this issue as a placeholder because their submission was too large for the contest form. They then emailed their md file to our team on 05/23/2022 at 4:17 AM central time. I've updated this issue with their md file content.

@0xMaharishi 0xMaharishi added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label May 26, 2022
This was referenced Jul 8, 2022
Closed
Closed
@liveactionllama
Copy link
Contributor

Per discussion with @dmvt (judge), they agree with the risk ratings listed by the warden in this submission.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@code423n4 @itsmetechjay @0xMaharishi @liveactionllama