Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA Report #103

Open
code423n4 opened this issue May 7, 2022 · 0 comments
Open

QA Report #103

code423n4 opened this issue May 7, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Require with empty message

The following requires are with empty messages.
This is very important to add a message for any require. So the user has enough information to know the reason of failure.

Code instance:

    Solidity file: CEther.sol, In line 148 with Empty Require message.

Not verified input

external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    CEther.sol.liquidateBorrowNft borrower
    CNft.sol.call to
    CNft.sol.safeBatchTransferFrom to
    Comptroller.sol.seizeAllowed liquidator
    Comptroller.sol.transferAllowed cAsset

Solidity compiler versions mismatch

The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.

Code instance:

Use safe math for solidity version <8

You should use safe math for solidity version <8 since there is no default over/under flow check it suchversions of solidity.

Code instances:

    The contract CEther.sol doesn't use safe math and is of solidity version < 8
    The contract Comptroller.sol doesn't use safe math and is of solidity version < 8
    The contract CErc20.sol doesn't use safe math and is of solidity version < 8

Init frontrun

Most contracts use an init pattern (instead of a constructor) to initialize contract parameters. Unless these are enforced to be atomic with contact deployment via deployment script or factory contracts, they are susceptible to front-running race conditions where an attacker/griefer can front-run (cannot access control because admin roles are not initialized) to initially with their own (malicious) parameters upon detecting (if an event is emitted) which the contract deployer has to redeploy wasting gas and risking other transactions from interacting with the attacker-initialized contract.

Many init functions do not have an explicit event emission which makes monitoring such scenarios harder. All of them have re-init checks; while many are explicit some (those in auction contracts) have implicit reinit checks in initAccessControls() which is better if converted to an explicit check in the main init function itself.
(details credit to: code-423n4/2021-09-sushimiso-findings#64)
The vulnerable initialization functions in the codebase are:

Code instance:

    CNft.sol, initialize, 17

Assert instead require to validate user inputs

    From solidity docs: Properly functioning code should never reach a failing assert statement; if this happens there is a bug in your contract which you should fix.
    With assert the user pays the gas and with require it doesn't. The ETH network gas isn't cheap and users can see it as a scam.

Code instances:

    Comptroller.sol : reachable assert in line 332
    Comptroller.sol : reachable assert in line 206

In the following public update functions no value is returned

In the following functions no value is returned, due to which by default value of return will be 0.
We assumed that after the update you return the latest new value.
(similar issue here: code-423n4/2021-10-badgerdao-findings#85).

Code instance:

    Comptroller.sol, updateContributorRewards

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    CNft.sol: function onERC721Received parameter tokenId isn't used. (onERC721Received is public)
    CNft.sol: function onERC1155Received parameter data isn't used. (onERC1155Received is public)
    CNft.sol: function onERC1155Received parameter from isn't used. (onERC1155Received is public)
    Comptroller.sol: function _initializeNftCollateral parameter _collateralFactorMantissa isn't used. (_initializeNftCollateral is external)
    CNft.sol: function onERC1155Received parameter value isn't used. (onERC1155Received is public)

Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/CNft.sol#L139
    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/CEther.sol#L167
    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/CNft.sol#L95
    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/CErc20.sol#L209
    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/CErc20.sol#L174

Assert instead require to validate user inputs

    From solidity docs: Properly functioning code should never reach a failing assert statement; if this happens there is a bug in your contract which you should fix.
    With assert the user pays the gas and with require it doesn't. The ETH network gas isn't cheap and users can see it as a scam.

Code instances:

    Comptroller.sol : reachable assert in line 332
    Comptroller.sol : reachable assert in line 206

In the following public update functions no value is returned

In the following functions no value is returned, due to which by default value of return will be 0.
We assumed that after the update you return the latest new value.
(similar issue here: code-423n4/2021-10-badgerdao-findings#85).

Code instance:

    Comptroller.sol, updateContributorRewards

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    CNft.sol: function onERC721Received parameter tokenId isn't used. (onERC721Received is public)
    CNft.sol: function onERC1155Received parameter data isn't used. (onERC1155Received is public)
    CNft.sol: function onERC1155Received parameter from isn't used. (onERC1155Received is public)
    Comptroller.sol: function _initializeNftCollateral parameter _collateralFactorMantissa isn't used. (_initializeNftCollateral is external)
    CNft.sol: function onERC1155Received parameter value isn't used. (onERC1155Received is public)

Two arrays length mismatch

The functions below fail to perform input validation on arrays to verify the lengths match.
A mismatch could lead to an exception or undefined behavior.
Consider making this a medium risk please.

Code instances

    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/ERC1155Enumerable.sol#L35 _beforeTokenTransfer ['ids', 'amounts']
    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/CNft.sol#L166 safeBatchTransferFrom ['ids', 'amounts']

Not owner function calls an owner function

Code instance:

    CNft.sol.executeCall - calls call

Div by 0

Division by 0 can lead to accidentally revert,
(An example of a similar issue - code-423n4/2021-10-defiprotocol-findings#84)

Code instances:

    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/CNft.sol#L40 amounts might be 0
    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/CNft.sol#L116 amounts might be 0

Tokens with fee on transfer are not supported

There are ERC20 tokens that charge fee for every transfer() / transferFrom().

Vault.sol#addValue() assumes that the received amount is the same as the transfer amount,
and uses it to calculate attributions, balance amounts, etc.
But, the actual transferred amount can be lower for those tokens.
Therefore it's recommended to use the balance change before and after the transfer instead of the amount.
This way you also support the tokens with transfer fee - that are popular.

Code instances:

    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/CNft.sol#L95
    https://github.com/code-423n4/bunker-protocol/tree/main/contracts/CNft.sol#L139

transfer return value of a general ERC20 is ignored

Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked (as there are some other tokens that returns false instead revert), that means you must

  1. Check the transfer return value
    Another popular possibility is to add a whiteList.
    Those are the appearances (solidity file, line number, actual line):

Code instances:

    CErc20.sol, 209 (doTransferOut), token.transfer(to, amount);
    CErc20.sol, 174 (doTransferIn), token.transferFrom(from, address(this), amount);
    CErc20.sol, 138 (sweepToken), token.transfer(admin, balance);
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 7, 2022
code423n4 added a commit that referenced this issue May 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Development

No branches or pull requests

1 participant