QA Report #183
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Report
Low
L-01: use two-step process for critical address changes
Consider using a two-step process for transferring the ownership of a contract. While it costs a little more gas, it's safer than transferring directly.
Here's an example from the Compound Timelock contract: https://github.com/compound-finance/compound-protocol/blob/master/contracts/Timelock.sol#L45-L58
You're already using it in the BoosterOwner contract.
Relevant code sections:
L-02: set the inflation protection limitation in the Aura token contract directly
Currently, the Aura token has no limitations when it comes to minting. The address designated as
minter
can mint as many tokens as they want.https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L128-L132
But, the protocol wants to limit minting for the first four years. That limit is set in the AuraMinter contract:
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraMinter.sol#L31-L34
Instead, you should implement the limit in the Aura contract. The minter shouldn't be the one responsible to enforce the limitation. It's the token contract's job.
Then you can also just throw out the AuraMinter contract. It wouldn't really be necessary. As long as the limitation is implemented in the Aura contract, any address can be the minter.
Non-Critical
N-01: emit events when changing a contract's configuration
There are multiple configuration functions that don't emit an event.
Relevant code:
The text was updated successfully, but these errors were encountered: