Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA Report #45

Open
code423n4 opened this issue Jun 2, 2022 · 1 comment
Open

QA Report #45

code423n4 opened this issue Jun 2, 2022 · 1 comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Report

Low

L-01: use two-step process for critical address changes

Consider using a two-step process for transferring the ownership of a contract. While it costs a little more gas, it's safer than transferring directly.

Here's an example from the Compound Timelock contract: https://github.com/compound-finance/compound-protocol/blob/master/contracts/Timelock.sol#L45-L58

Relevant code sections:

Non-Critical

N-01: emit an event when changing the configuration of a contract

There are multiple configuration functions that don't emit an event.

Relevant code:

There're probably a couple more that I missed

N-02: AmmGauge doesn't use correct value for staking/unstaking events

The functions verify the number of tokens that were transferred. The value is used to keep track of the internal balances. But, it isn't used for the event. There you use the user specified amount parameter:

function stakeFor(address account, uint256 amount) public virtual override returns (bool) {
    require(amount > 0, Error.INVALID_AMOUNT);

    _userCheckpoint(account);

    uint256 oldBal = IERC20(ammToken).balanceOf(address(this));
    IERC20(ammToken).safeTransferFrom(msg.sender, address(this), amount);
    uint256 newBal = IERC20(ammToken).balanceOf(address(this));
    uint256 staked = newBal - oldBal;
    balances[account] += staked;
    totalStaked += staked;
    
    // should be `staked` and not `amount`
    emit AmmStaked(account, ammToken, amount);
    return true;
}

Relevant code:

@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Jun 2, 2022
code423n4 added a commit that referenced this issue Jun 2, 2022
@chase-manning chase-manning added sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) labels Jun 6, 2022
@GalloDaSballo
Copy link
Collaborator

## L-01: use two-step process for critical address changes
Personally disagree, but finding is valid

N-01: emit an event when changing the configuration of a contract

Agree

N-02: AmmGauge doesn't use correct value for staking/unstaking events

Finding is valid, nice find

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Development

No branches or pull requests

3 participants