QA Report #47
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L61
Function init: Add a check to see if _to address is not address(0)
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/Aura.sol#L128
Function minterMint: Add a check to see if _to address is not address(0)
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraBalRewardPool.sol#L74
Constructor: Add a check to see if penaltyForwarder is not address(0). This is important address getting all penalty fees and should be validated using
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraMerkleDrop.sol#L53
Constructor: Add a check to see if penaltyForwarder is not address(0). I understand that a check exists in forwardPenalty for address(0) but that would deem useless because if by mistake penaltyForwarder is set to address(0) in constructor then there is no way to change it and penalty will remain stuck in contract
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraMerkleDrop.sol#L90
Function startEarly: Add a new check to see if startTime is correct or not
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraVestedEscrow.sol#L96
Function fund: _recipient.length must always be equal to _amount.length. Check for same is missing in the function
https://github.com/code-423n4/2022-05-aura/blob/main/contracts/AuraStakingProxy.sol#L129
Function setCallIncentive: require statement is incorrect since _incentive cannot be 100. If it becomes 100 then distributeOther function will always fail since callIncentive=bal which means AuraStakingProxy.sol#L219 will call notifyRewardAmount with bal-callIncentive=0 amount which will fail since AuraLocker.sol#L851 checks for amount>0. This also holds true for distribute which will also fail for same reasons
https://github.com/code-423n4/2022-05-aura/blob/main/convex-platform/contracts/contracts/VoterProxy.sol#L242
Function createLock: It is mentioned in comment that _unlockTime should be max 4 years but there is no check to validate the same. Same issue goes with function increaseTime
The text was updated successfully, but these errors were encountered: