Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA Report #47

Open
code423n4 opened this issue May 15, 2022 · 1 comment
Open

QA Report #47

code423n4 opened this issue May 15, 2022 · 1 comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L61

Function init: Add a check to see if _to address is not address(0)

require(_to!=address(0),"Incorrect address");

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L128

Function minterMint: Add a check to see if _to address is not address(0)

require(_to!=address(0),"Incorrect address");

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L74

Constructor: Add a check to see if penaltyForwarder is not address(0). This is important address getting all penalty fees and should be validated using

require(penaltyForwarder!=address(0),"Invalid address");

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraMerkleDrop.sol#L53

Constructor: Add a check to see if penaltyForwarder is not address(0). I understand that a check exists in forwardPenalty for address(0) but that would deem useless because if by mistake penaltyForwarder is set to address(0) in constructor then there is no way to change it and penalty will remain stuck in contract

require(penaltyForwarder!=address(0),"Invalid address");

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraMerkleDrop.sol#L90

Function startEarly: Add a new check to see if startTime is correct or not

require(startTime<expiryTime);

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraVestedEscrow.sol#L96

Function fund: _recipient.length must always be equal to _amount.length. Check for same is missing in the function

require(_recipient.length==_amount.length, "Incorrect params");

https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraStakingProxy.sol#L129

Function setCallIncentive: require statement is incorrect since _incentive cannot be 100. If it becomes 100 then distributeOther function will always fail since callIncentive=bal which means AuraStakingProxy.sol#L219 will call notifyRewardAmount with bal-callIncentive=0 amount which will fail since AuraLocker.sol#L851 checks for amount>0. This also holds true for distribute which will also fail for same reasons

https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L242

Function createLock: It is mentioned in comment that _unlockTime should be max 4 years but there is no check to validate the same. Same issue goes with function increaseTime

@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 15, 2022
code423n4 added a commit that referenced this issue May 15, 2022
@0xMaharishi 0xMaharishi added invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue labels May 25, 2022
@0xMaharishi
Copy link

these are pretty low quality reports here

@dmvt dmvt removed the invalid This doesn't seem right label Jul 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Development

No branches or pull requests

3 participants