QA Report #287
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
QA
Grammatical Errors
Aura.sol
Correct to ‘distributed’.
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L18
AuraLocker.sol
Should be ‘Individual’ :
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L22
‘contain’ instead of ‘contains’ :
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L88
AuraMath.sol
Remove ‘of’:
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMath.sol#L5
ExtraRewardsDistributor.sol
Remove ‘π’:
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L45
AuraStakingProxy.sol
Correct ‘convers’ to ‘converts it to and distributes it to ’:
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L24
AuraVestedEscrow.sol
Correct ‘Arrary’ :
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L94
CrvDepositor.sol
Correct to ‘staker’:
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L14
Correct to ‘lock’ instead of ‘locking’ :
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L161
“For” not “fro” :
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ArbitartorVault.sol#L13
Change incorrect spelling to ‘Separate’ :
BaseRewardPool.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L57
Booster.sol
“of a sender’s”
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L436
“Separate”
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L468
Use an apostrophe for “sender's” or “senders’ “ :
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L491
ExtraRewardStashV3.sol
Correct to ’gauges’
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L93
‘distributes’:
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L163
NatSpec tag missing
AuraBalRewardPool.sol
Missing @param tag for _startDelay:
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L61
CrvDepositor.sol
‘ ‘ @param tag for to:
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L168
Constants should follow style guide
Every letter in the variable name should be capitalised and or underscores used to separate words.
AuraBalRewardPool.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L29
AuraLocker.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L73
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L81-L83
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L107
AuraStakingProxy.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L45
CrvDepositor.sol
There are two separate words in MAXTIME(short for Maximum Time). Therefore, use an underscore to delineate the words.
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L26
BaseRewardPool.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L65
Booster.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L30
ExtraRewardStashV3.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L31
StashFactoryV2.sol
https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/StashFactoryV2.sol#L19-L21
VirtualBalanceRewardPool.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L85
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L96
Use mixedCase for Immutable state variables
It is recommended that the uppercase or uppercase with underscores is used for constants :
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/CrvDepositorWrapper.sol#L26-L30
Most, if not all the other contracts, make use of the mixedCase.So,it will be more uniformed if its usage is continued.
State Variables are already their default types
No need to assign them.
AuraBalRewardPool.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L35
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L38-L39
AuraLocker.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L72
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L114
AuraMerkleDrop.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L29
ExtraRewardsDistributor.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L231
AuraVestedEscrow.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L33
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L99
CrvDepositor.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L36
BaseRewardPool.sol
https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L71-L72
https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L75-L77
Booster.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L29
VirtualBalanceRewardPool
https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L89-L90
https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L93-L95
VoterProxy.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L308
Comment doesn't reflect the code
change to ‘rewardToken’
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L203
Function names should be unambiguous
The comment for approveRewardDistributor() clearly states that the mentioned function should modify approvals for a distributor, ie revoke or give permission to an address to distribute rewards but the function name demonstrates a one sided role.Therefore change the name to reflect the function's dual role.
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L204
Also, consider emitting an event to alert relevant parties when a distributor is approved or disapproved.
Check whether the old address is the same as the new address
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L79
cache old address in a local variable and either use :
if(oldDao≠_newDao) {
dao=_newDao;
}
Apply the same changes to the following contracts with modification to variable names for the aforementioned functions :
AuraMerkleDrop.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L106
AuraStakingProxy.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L92
and consider emitting an event when the crvDepositorWrapper is changed.
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L139
also, it is recommended to emit an event for this function as well.
AuraVestedEscrow.sol
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L79
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L88
Array Length should match
If there's a missing amount for a recipient address, the mapping will not contain the amount attributable to the address nor will it be added to the totalAmount :
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraVestedEscrow.sol#L103-L104
And therefore less will be sent to the AuraVestedEscrow contract if there's a non-zero value but it was not added to the array:
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L108
Use require(_recipients.length==_amount.length,”mismatch”) prior to the loop.
Similar case for distribute ()
ArbitratorVault.sol
[https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ArbitartorVault.sol#L46
Crv balance locked for staker can be unlocked sooner
Due to an incorrect value set :
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L26
The balance will be unlocked a day earlier than it should actually be. MAXTIME is calculated using 364 days, instead of 365 days which is standard for a year.
This value is used to calculate unlock At which is subsequently stored in the state variable unlockTime.
initialiseLock() and lockCurve() relies on this value. It would be imperative that the unlock time is calculated properly, as the intent is for the lock period to be a year.
A similar finding was mentioned here
code-423n4/2022-03-paladin-findings#4
The text was updated successfully, but these errors were encountered: