-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QA Report #118
Comments
1. require() should be used instead of assert()Disagree for this specific case, assert is fine, let the caller regret setting the wrong vault 2. safeApprove() is deprecatedAcknowledge, however we are using safeApprove the proper way, from 0, once 3. Open TODOsAck 4. Upgradeable contract is missing a __gap[50] storage variable to allow for new storage variables in later versionsDisagree, we have it in the baseStrategy: https://github.com/Badger-Finance/badger-vaults-1.5/blob/5abb584f93d564dea039a6b6a00a0cca11dd2b42/contracts/BaseStrategy.sol#L431 1. Using vulnerable version of OpenZeppelinAck, not exploited hence no prob 2. Missing initializer modifier on constructorWe use 3. public functions not called by the contract should be declared external insteadDisagree, we need it for the deployment 4. constants should be defined rather than using magic numbersAck 5. Redundant castI believe it get's optimized away 6. Missing event and timelock for critical parameter changePersonally disagree 7. Use a more recent version of solidityWe like the version 8. Inconsistent spacing in commentsk 9. Typosk 10. Event is missing indexed fieldsGood idea |
@GalloDaSballo Ser, there is no constructor defined in this contract therefore the default one is used, where the initializer modified is not being used |
@IllIllI000 I've looked into it and had I agree with the finding, would recommend rephrasing to: Personally our UpgradeableProxy doesn't risk being self-destructed, that said if the finding is contextualized in that way I agree with it. In terms of the Proxy, we deploy + initialize in the same transaction via |
I have changed my mind about |
The following two
Agreed with the severities of the other findings. Overall, this is an excellent QA report with top-notch formatting. I love how you put a short and clear description for each issue, with all the instances listed. |
Summary
Low Risk Issues
require()
should be used instead ofassert()
safeApprove()
is deprecated__gap[50]
storage variable to allow for new storage variables in later versionsTotal: 7 instances over 4 issues
Non-critical Issues
initializer
modifier on constructorpublic
functions not called by the contract should be declaredexternal
insteadconstant
s should be defined rather than using magic numbersindexed
fieldsTotal: 18 instances over 10 issues
Low Risk Issues
1.
require()
should be used instead ofassert()
Prior to solidity version 0.8.0, hitting an assert consumes the remainder of the transaction's available gas rather than returning it, as
require()
/revert()
do.assert()
should be avoided even past solidity version 0.8.0 as its documentation states that "The assert function creates an error of type Panic(uint256). ... Properly functioning code should never create a Panic, not even on invalid external input. If this happens, then there is a bug in your contract which you should fix".There is 1 instance of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L57
2.
safeApprove()
is deprecatedDeprecated in favor of
safeIncreaseAllowance()
andsafeDecreaseAllowance()
. If only setting the initial allowance to the value that means infinite,safeIncreaseAllowance()
can be used insteadThere are 3 instances of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L65
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L67
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L68
3. Open TODOs
Code architecture, incentives, and error handling/reporting questions/issues should be resolved before deployment
There are 2 instances of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L284
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L422
4. Upgradeable contract is missing a
__gap[50]
storage variable to allow for new storage variables in later versionsSee this link for a description of this storage variable. While some contracts may not currently be sub-classed, adding the variable now protects against forgetting to add it in the future.
There is 1 instance of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L20
Non-critical Issues
1. Using vulnerable version of OpenZeppelin
The brownie configuration file says that the project is using 3.4.0 of OpenZeppelin which has a vulnerability in initializers that call external contracts, which this code does. You're protecting against it by having the comment stating to change all state at the end, but it would be better to upgrade and use the
onlyInitializing
modifierThere is 1 instance of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L55
2. Missing
initializer
modifier on constructorOpenZeppelin recommends that the
initializer
modifier be applied to constructorsThere is 1 instance of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L20
3.
public
functions not called by the contract should be declaredexternal
insteadContracts are allowed to override their parents' functions and change the visibility from
external
topublic
.There is 1 instance of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L56
4.
constant
s should be defined rather than using magic numbersEven assembly can benefit from using readable constants instead of hex/numeric literals
There is 1 instance of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L205
5. Redundant cast
The type of the variable is the same as the type to which the variable is being cast
There is 1 instance of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L430
6. Missing event and timelock for critical parameter change
Events help non-contract tools to track changes, and events prevent users from being surprised by changes
There are 3 instances of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L86-L89
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L92-L95
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L98-L101
7. Use a more recent version of solidity
Use a solidity version of at least 0.8.13 to get the ability to use
using for
with a list of free functionsThere is 1 instance of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L3
8. Inconsistent spacing in comments
Some lines use
// x
and some use//x
. The instances below point out the usages that don't follow the majority, within each fileThere are 4 instances of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L85
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L91
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L97
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L183
9. Typos
There are 4 instances of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L105
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L160
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L218
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L284
10. Event is missing
indexed
fieldsEach
event
should use threeindexed
fields if there are three or more fieldsThere is 1 instance of this issue:
https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L51
The text was updated successfully, but these errors were encountered: