Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA Report #287

Open
code423n4 opened this issue May 25, 2022 · 0 comments
Open

QA Report #287

code423n4 opened this issue May 25, 2022 · 0 comments
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

QA

Grammatical Errors

Aura.sol

Correct to ‘distributed’.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L18

AuraLocker.sol

Should be ‘Individual’ :

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L22

‘contain’ instead of ‘contains’ :

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L88

AuraMath.sol

Remove ‘of’:

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMath.sol#L5

ExtraRewardsDistributor.sol

Remove ‘π’:

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L45

AuraStakingProxy.sol

Correct ‘convers’ to ‘converts it to and distributes it to ’:

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L24

AuraVestedEscrow.sol

Correct ‘Arrary’ :

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L94

CrvDepositor.sol

Correct to ‘staker’:

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L14

Correct to ‘lock’ instead of ‘locking’ :

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L161

“For” not “fro” :

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ArbitartorVault.sol#L13

Change incorrect spelling to ‘Separate’ :

BaseRewardPool.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L57

Booster.sol

“of a sender’s”

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L436

“Separate”

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L468

Use an apostrophe for “sender's” or “senders’ “ :

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L491

ExtraRewardStashV3.sol

Correct to ’gauges’

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L93

‘distributes’:

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L163

NatSpec tag missing

AuraBalRewardPool.sol

Missing @param tag for _startDelay:

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L61

CrvDepositor.sol

‘ ‘ @param tag for to:

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L168

Constants should follow style guide

Every letter in the variable name should be capitalised and or underscores used to separate words.

AuraBalRewardPool.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L29

AuraLocker.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L73

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraLocker.sol#L81-L83

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L107

AuraStakingProxy.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L45

CrvDepositor.sol

There are two separate words in MAXTIME(short for Maximum Time). Therefore, use an underscore to delineate the words.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L26

BaseRewardPool.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L65

Booster.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L30

ExtraRewardStashV3.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ExtraRewardStashV3.sol#L31

StashFactoryV2.sol

https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/StashFactoryV2.sol#L19-L21

VirtualBalanceRewardPool.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L85

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L96

Use mixedCase for Immutable state variables

It is recommended that the uppercase or uppercase with underscores is used for constants :

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/CrvDepositorWrapper.sol#L26-L30

Most, if not all the other contracts, make use of the mixedCase.So,it will be more uniformed if its usage is continued.

State Variables are already their default types

No need to assign them.

AuraBalRewardPool.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L35

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L38-L39

AuraLocker.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L72

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L114

AuraMerkleDrop.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L29

ExtraRewardsDistributor.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/ExtraRewardsDistributor.sol#L231

AuraVestedEscrow.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L33

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L99

CrvDepositor.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L36

BaseRewardPool.sol

https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L71-L72

https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/BaseRewardPool.sol#L75-L77

Booster.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/Booster.sol#L29

VirtualBalanceRewardPool

https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L89-L90

https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L93-L95

VoterProxy.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VoterProxy.sol#L308

Comment doesn't reflect the code

change to ‘rewardToken’

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L203

Function names should be unambiguous

The comment for approveRewardDistributor() clearly states that the mentioned function should modify approvals for a distributor, ie revoke or give permission to an address to distribute rewards but the function name demonstrates a one sided role.Therefore change the name to reflect the function's dual role.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L204

Also, consider emitting an event to alert relevant parties when a distributor is approved or disapproved.

Check whether the old address is the same as the new address

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L79

cache old address in a local variable and either use :

if(oldDao≠_newDao) {

dao=_newDao;

}

Apply the same changes to the following contracts with modification to variable names for the aforementioned functions :

AuraMerkleDrop.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraMerkleDrop.sol#L106

AuraStakingProxy.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L92

and consider emitting an event when the crvDepositorWrapper is changed.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraStakingProxy.sol#L139

also, it is recommended to emit an event for this function as well.

AuraVestedEscrow.sol

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L79

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L88

Array Length should match

If there's a missing amount for a recipient address, the mapping will not contain the amount attributable to the address nor will it be added to the totalAmount :

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraVestedEscrow.sol#L103-L104

And therefore less will be sent to the AuraVestedEscrow contract if there's a non-zero value but it was not added to the array:

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraVestedEscrow.sol#L108

Use require(_recipients.length==_amount.length,”mismatch”) prior to the loop.

Similar case for distribute ()

ArbitratorVault.sol

[https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ArbitartorVault.sol#L46

Crv balance locked for staker can be unlocked sooner

Due to an incorrect value set :
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L26

The balance will be unlocked a day earlier than it should actually be. MAXTIME is calculated using 364 days, instead of 365 days which is standard for a year.

This value is used to calculate unlock At which is subsequently stored in the state variable unlockTime.
initialiseLock() and lockCurve() relies on this value. It would be imperative that the unlock time is calculated properly, as the intent is for the lock period to be a year.

A similar finding was mentioned here

code-423n4/2022-03-paladin-findings#4

@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 25, 2022
code423n4 added a commit that referenced this issue May 25, 2022
@0xMaharishi 0xMaharishi added the duplicate This issue or pull request already exists label May 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Development

No branches or pull requests

2 participants