QA Report

[code423n4]

Tokens with fee on transfer are not supported

There are ERC20 tokens that charge fee for every transfer() / transferFrom().

Vault.sol#addValue() assumes that the received amount is the same as the transfer amount,
and uses it to calculate attributions, balance amounts, etc.
But, the actual transferred amount can be lower for those tokens.
Therefore it's recommended to use the balance change before and after the transfer instead of the amount.
This way you also support the tokens with transfer fee - that are popular.

Code instance:

    https://github.com/code-423n4/2022-06-illuminate/tree/main/lender/Lender.sol#L616

safeApprove of openZeppelin is deprecated

You use safeApprove of openZeppelin although it's deprecated.
(see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38)
You should change it to increase/decrease Allowance as OpenZeppilin says.

Code instances:

    Deprecated safeApprove in Lender.sol line 116: Safe.approve(uToken, a[i], max);
    Deprecated safeApprove in Lender.sol line 92: Safe.approve(IERC20(token), r, max);

Require with empty message

The following requires are with empty messages.
This is very important to add a message for any require. So the user has enough information to know the reason of failure.

Code instance:

    Solidity file: Cast.sol, In line 9 with Empty Require message.

Require with not comprehensive message

The following requires has a non comprehensive messages.
This is very important to add a comprehensive message for any require. Such that the user has enough
information to know the reason of failure:

Code instance:

    Solidity file: Cast.sol, In line 9 with an empty require message

Not verified input

external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    ERC20.sol.transferFrom dst
    Redeemer.sol.setLender l

Solidity compiler versions mismatch

The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.

Not verified owner

    owner param should be validated to make sure the owner address is not address(0).
    Otherwise if not given the right input all only owner accessible functions will be unaccessible.

Code instance:

    ERC20Permit.sol.permit owner

Named return issue

Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing.
Furthermore, removing either the actual return or the named return will save gas.

Code instances:

    ERC5095.sol, withdraw
    ERC5095.sol, previewRedeem
    ERC5095.sol, maxRedeem
    ERC5095.sol, convertToPrincipal

Two Steps Verification before Transferring Ownership

The following contracts have a function that allows them an admin to change it to a different address. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked.
It is important to have two steps admin change where the first is announcing a pending new admin and the new address should then claim its ownership.
A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105

Code instances:

    Lender.sol
    MarketPlace.sol
    Redeemer.sol

Missing commenting

    The following functions are missing commenting as describe below:

Code instances:

    ERC5095.sol, maxWithdraw (external), parameter owner not commented
    ERC5095.sol, redeem (external), parameters principalAmount, holder not commented
    ERC5095.sol, withdraw (external), parameter holder not commented

Open TODOs

Open TODOs can hint at programming or architectural errors that still need to be fixed.
These files has open TODOs:

Code instances:

     Open TODO in Cast.sol line 8 :         require(n <= type(uint128).max, ''); // TODO err msgs
     Open TODO in Element.sol line 7 :     // TODO are these established element names? kind? not type? etc...
     Open TODO in Element.sol line 8 :     // TODO In, Out vs GIVEN_IN, GIVEN_OUT. If those names are needed they should be GivenIn etc...
     Open TODO in Element.sol line 14 :     // TODO audit structure / names / order-of-members etc...

Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/2022-06-illuminate/tree/main/redeemer/Redeemer.sol#L258
    https://github.com/code-423n4/2022-06-illuminate/tree/main/marketplace/MarketPlace.sol#L172
    https://github.com/code-423n4/2022-06-illuminate/tree/main/lender/Lender.sol#L666

approve return value is ignored

Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean.
Calling these functions with the correct EIP20 function signatures will always revert.
Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value.
We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens.
The list of occurrences in format (solidity file, line number, actual line)

Code instances:

Lender.sol, 116, Safe.approve(uToken, a[i], max);

Lender.sol, 92, Safe.approve(IERC20(token), r, max);