QA Report #303
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
code423n4
added
bug
|
this can be bumped to medium severity |
|
Per the C4 guidance "part of auditing is demonstrating proper theory of how an issue could be exploited" and that does not seem to be explored here as it was in the primary report. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1. Missing zero address checks
Risk
Low
Impact
Contract
Callydoes not check for zero addresses which might lead to loss of funds, failed transactions and can break the protocol functionality.Proof of Concept
tokenaddress - https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L160beneficiaryaddress - https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L351Tools Used
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to add zero address checks for listed parameters.
2. Missing events
Risk
Low
Impact
Contract
Callydoes not implement events for some critical functions. Lack of events makes it difficult for off-chain applications to monitor the protocol.Proof of Concept
setFeeevent - https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L119-L121withdrawProtocolFeesevent - https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L124-L128setVaultBeneficiaryevent - https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L351-L357Tools Used
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to add missing events to listed functions.
3. Missing validation for feeRate
Risk
Low
Impact
Function
Cally.setFeeis missing check forfeeRate_parameter that should not exceed acceptable by protocol percentage.Proof of Concept
Tools Used
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to add check for
feeRate_parameter.4. Owner - critical address change
Risk
Low
Impact
Changing critical addresses such as ownership should be a two-step process where the first transaction (from the old/current address) registers the new address (i.e. grants ownership) and the second transaction (from the new address) replaces the old address with the new one. This gives an opportunity to recover from incorrect addresses mistakenly used in the first step. If not, contract functionality might become inaccessible.
Proof of Concept
Tools Used
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to implement two-step process for passing ownership.
5. Usage of boolean values
Risk
Non-Critical
Impact
Contract uses
falseboolean expression for require statements in multiple functions.Proof of Concept
Tools Used
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to remove
falseexpression and use alternative syntax such as:6. Incorrect error message
Risk
Non-Critical
Impact
Function
Cally.createVaultchecks ifdutchAuctionReserveStrikeis smaller than specified strike option. Incorrect error message "Reserve strike too small" is returned in case of the error. It should be "Reserve strike too big".Proof of Concept
Tools Used
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to change the error message to "Reserve strike too big".
The text was updated successfully, but these errors were encountered: