QA Report #159
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
The functions below have an external call which can allow user to reenter into the function. Although reentering the function would cause harm to the caller than good.
**Occurrences in:
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L130-L134
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L108-L111
Certain events and emits are necessary for core changes and admin/critical activities to allow monitoring on third party tools. The following below are missing;
**Occurrences in:
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L68
https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L74
https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/Minter.sol#L99
3.. Missing zero address check
The following are missing checks for existence of zero address which may lead to transfers to zero address or causing some functions to no longer be accessible.
**Occurrences in:
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L124
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L56
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/AmmGauge.sol#L103
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/BkdLocker.sol#L70
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L31
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L31
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/StakerVault.sol#L111
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/StakerVault.sol#L139
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/StakerVault.sol#L359
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/Minter.sol#L126
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/Minter.sol#L144
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L65
The OpenZeppelin ERC20 SafeApprove() function has been deprecated, replace safeApprove() with safeIncreaseAllowance() or safeDecreaseAllowance() instead.
**Occurrences in:
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L52
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L64
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L118
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/zaps/PoolMigrationZap.sol#L27
Maximum approvals are widely considered as unsafe if the approved contract becomes compromised/malicious.
**Occurrences in:
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L64
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L118
6.. Costly external calls in a loop
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/Controller.sol#L127
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L44
*https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L44
https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/FeeBurner.sol#L70
https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L99
https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L102
https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/VestedEscrow.sol#L25
The text was updated successfully, but these errors were encountered: