QA Report #58
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
bug
chase-manning
added
sponsor confirmed
Redundant greater than 0 checks for uintAgree as they can at lowest be 0 Sensible changes, such as adding a Governor should be a two-step processPersonally disagree, but valid find Requirement uses external call to user-controlled address in PoolMigrationZap.sol - migrateBecause of the architecture it's the callers responsibility to ensure the old contract is safe, as no funds beside the caller are at stake, I don't believe any risk was shown in this finding Erring on the safe side for reentrancy in PoolMigrationZap.sol - migrateAgree that the function doesn't respect CEI Recommended missing eventsAgree with informational level finding Overall a concise report, I especially liked the formatted links which make the text way faster to read through |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Redundant greater than 0 checks for uint
When executing pool weight changes in
InflationManager.sol(_executeKeeperPoolWeight, _executeLpPoolWeight, _executeAmmTokenWeight), corresponding total pool weightsxareunsigned int. As they can't only bex >= 0, the expressionx>0 ? x : 0does nothing.Sensible changes, such as adding a Governor should be a two-step process
addGovernancedirectly grantsRoles.GOVERNANCEto thenewGovernor. It should be a two-step process (e.g. setGovernance-acceptGovernance) to ensure the input address is correct. WhilstrenounceGovernancechecks that there is at least one Governor left, in a single-Governor scenario, back to back execution ofaddGovernancewith an incorrect address followed byrenounceGovernancewill render the protocol ungovernable. Additionally, as there is no way to revoke this role, granting governance to an address means that address will have complete control over the protocol forever after.Requirement uses external call to user-controlled address in
PoolMigrationZap.sol - migraterequire(oldPool_.getWithdrawalFee(msg.sender, lpTokenAmount_) == 0, "withdrawal fee not 0");makes an external call tooldPoolAddress_, which is a user-controlled address. It could be a malicious contract, thus reporting any result needed to bypass the guard.Erring on the safe side for reentrancy in
PoolMigrationZap.sol - migrateWhile I did not manage to exploit it in any way - I'd recommend against not including a
nonReentrantguard in this function.oldPoolAddress_could be a malicious contract thus enabling multiple calls tomigratespanning from the external calls tooldPoolorlpToken_.Recommended missing events
Modifying key protocol variables or triggering key events should always emit events accordingly to ensure transparency and proper traceability.
Minter.sol: setToken, startInflation, executeInflationRateUpdateBkdLocker.sol: migrateController.sol: setInflationManagerAmmGauge.sol: killKeeperGauge.sol: kill, advanceEpoch, reportFees, poolCheckpointInflationManager.sol: deactivateWeightBasedKeeperDistribution, checkpointAllGaugesVestedEscrow.sol: setAdmin, setFundAdmin, initializeUnallocatedSupplyThe text was updated successfully, but these errors were encountered: