QA Report #413
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
L01 - Missing zero address checks in admin setters
Some functions missing zero address checks when setting admin addresses, which could lead to loss of admin control.
Apply a zero-address check and consider implementing a two-step process transferOwnership, where the owner assigns an account and the designated account must call the acceptOwnership() function for full transfer of ownership.
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L22-L25
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L253-L255
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L250-L252
L02 - Missing zero address checks in
_deposit()
and_withdraw()
functionsUser could mistakenly set
receiver
parameter to zero address indeposit()
,mint()
,withdraw()
andredeem()
functions. This would lead to loss of user funds.Recommend to add check for zero address for
receiver
parameter.L03 - ERC20 tokens with no return value will fail to transfer in functions
buy()
,cancel()
,offer()
,swapForETH()
,openBathTokenSpawnAndSignal()
Although the ERC20 standard suggests that a transfer should return true on success, many tokens are non-compliant in this regard. In that case, the call here will revert even if the transfer is successful:
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L272-L347
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L351-L376
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L392-L429
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconRouter.sol#L519-L549
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L136-L203
L04 - Lack of event emitting after sensitive actions
Contracts do not emit relevant events after setting sensitive variables.
Consider emitting events after sensitive changes take place, to facilitate tracking and notify off-chain clients following the contract’s activity in following functions:
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L1231-1256
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L253-L283
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L245-L272
L05 - Drain bonus tokens
Since bonus tokens distribute each time users
withdraw()
their shares, there are possible situations when fee amount for withdrawal is less than value of bonus token distributed. It could lead to draining bonus tokens by malicious users which repeatedly deposit-withdraw their shares unlit it's profitably - leaving other shares holders without bonus tokens.Consider distribution of bonus tokens based on shares holding time.
L06 - Adding new orders to list of strategist orders could lead to Dos
Function
getIndexFromElement()
iterates through list of strategist open orders, if list would be too big it could run out of gas.It could lead to inability to cancel strategist orders on pair, since function
handleStratOrderAtID()
callinggetIndexFromElement()
.Consider adding limitation for number of open orders by strategist on one pair.
L07 - Adding new bonus tokens could lead to Dos
Admin could only add new bonus tokens for withdrawers using function
setBonusToken()
.Withdraw transaction calling to
distributeBonusTokenRewards()
which could run out of gas if list of bonus tokens will be too big.This would lead to the inability of users to withdraw their assets.
Consider adding a function that allows the admin to delete addresses from
bonusTokens
.N01 - Variable
rewardsVestingWallet
never changeVariable
rewardsVestingWallet
never changes and stays zero value which means that distribution of bonus tokens to pool withdrawers would not be possiblein current implementation.
N02 -
mint()
function wouldn't work with fee-on-transfer tokensFunction
mint()
require toshares
parameter to be equal to amount of shares that are minted inside_deposit()
function, but with FOT tokens minted shares amount would be less than expected, sincepreviewMint()
function countassets
amount without fee subtraction and transaction would be failed.N03 - Not used function, variable and event
Function
released()
, eventEtherReleased()
never used and variable_released
never changes, remove it for readability and conciseness.N04 - Not specified visibility for variable
bool locked;
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L191
N05 - Commented code
Some lines of code are commented out, remove it for readability and conciseness.
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/RubiconMarket.sol#L93-L110
N06 - Missing revert strings in
require
statementsAdd messages to the next
require
statements to make contracts more self-explanatory.N07 - Extra brackets
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathHouse.sol#L179
N08 - Typos
The text was updated successfully, but these errors were encountered: