Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #155

Open
code423n4 opened this issue Jun 3, 2022 · 2 comments
Open

QA Report #155

code423n4 opened this issue Jun 3, 2022 · 2 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

1. AddressProvider.sol does not have a getSwapperRouter function

Line References

FeeBurner.sol#L126

AddressProvider.sol

Impact

In FeeBurner.sol, the _swapperRouter function gets the swapper router from the address provider. The AddressProvider.sol and IAddressProvider.sol contracts do not seem to have a getSwapperRouter function. If the _addressProvider in FeeBurner.sol is the AddressProvider.sol contract or implements IAddressProvider.sol then FeeBurner.sol would not function correctly or at all.

Proof of concept

The _swapperRouter function is called in the burnToTarget function which should then revert thus making burnToTarget uncallable.

Recommended Mitigation Steps

Add the getSwapperRouter function in the AddressProvider.sol and IAddressProvider.sol contracts.

2. Incompatibility with deflationary/rebase/fee-on-transfer tokens in FeeBurner.sol

Line References

FeeBurner.sol#L85

Impact

In the burnToTarget function of FeeBurner.sol, if the tokens being transferred are tokens whose balances change during a transfer such as deflationary and fee-on-transfer tokens, then the swap could fail since the swap input amount might be larger than the actual amount of tokens received in FeeBurner.sol.

Recommended Mitigation Steps

When tokens are transferred to the contract, check the balance of the contract before and after the transfer. Use the difference in the balances as the input amount for the swap call.

3. Return value for mint is not checked in InflationManager.sol

Line References

InflationManager.sol#L81

Minter.sol#L126-L135

Impact

In Minter.sol, if inflation has not started and lastEvent == 0 then the mint function will return false. In InflationManager.sol, the mintRewards function does not check the return value for the mint call. When mintRewards is called by a gauge and fails, the transaction does not revert.

Proof of Concept

When calling claimRewards in AmmGauge.sol, the call to mintRewards does not revert if minting has failed and the user loses their rewards.

    function claimRewards(address beneficiary) external virtual override returns (uint256) {
        require(
            msg.sender == beneficiary || _roleManager().hasRole(Roles.GAUGE_ZAP, msg.sender),
            Error.UNAUTHORIZED_ACCESS
        );
        _userCheckpoint(beneficiary);
        uint256 amount = perUserShare[beneficiary];
        if (amount <= 0) return 0;
        perUserShare[beneficiary] = 0;
        controller.inflationManager().mintRewards(beneficiary, amount);
        emit RewardClaimed(beneficiary, amount);
        return amount;
    }

The KeeperGauge.sol and LpGauge.sol contracts would fail in a similar way in addition to any other gauges that call mintRewards.

Recommended Mitigation Steps

Consider either returning a bool value for the mintRewards function in InflationManager.sol and check the return value in the gauges or insert the mint call in a require,

require(Minter(minter).mint(beneficiary, amount))
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Jun 3, 2022
code423n4 added a commit that referenced this issue Jun 3, 2022
@code423n4
dipp issue #155
b17eaab
@chase-manning chase-manning added sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) labels Jun 6, 2022
@GalloDaSballo
Copy link
Collaborator

1. AddressProvider.sol does not have a getSwapperRouter function

Great find!!

## 2. Incompatibility with deflationary/rebase/fee-on-transfer tokens in FeeBurner.sol
Agree as non-critical

3. Return value for mint is not checked in InflationManager.sol

Great find!

The findings in this report are very unique, good job!

@GalloDaSballo
Copy link
Collaborator

Actually after re-review finding 3 is not valid as _mint always returns true or reverts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @chase-manning @code423n4