-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QA Report #64
Comments
Require with empty message (disputed)Code instances out of scope Solidity compiler versions mismatch (disputed)All contracts in scope are in 0.8.14 |
Dangerous usage of tx.origin (disputed)Code instances out of scope safeApprove of openZeppelin is deprecated (disputed)Code instance out of scope Must approve 0 first (disputed)Code instance out of scope |
approve return value is ignored (disputed)Code instances out of scope transfer return value of a general ERC20 is ignored (disputed)Code instances out of scope |
Unbounded loop on array that can only grow can lead to DoS (disputed)In readme + previous audit |
Potential DoS (disputed).All interaction happens in one transaction |
Override function but with different argument location. (disputed).Overloading |
Does not validate the input fee parameter (Disputed)
|
Never used parameters (disputed).The parameters are used in the code |
public update functions no value is returned (disputed).Some are out of scope and for the others, in the function signature, there is no returns hence it does not returns anything |
Missing non reentrancy modifier (disputed)
|
Not verified owner (Disputed)
|
Two Steps Verification before Transferring Ownership (disputed)Already surfaced in precedent audit and readme |
Add a timelock (disputed)Some are out of scope |
Named return issue (duplicated)Duplicate point 3 of qa report #61 |
Missing commenting (duplicate) |
I'll just invalidate this QA report as there are so many unchecked bot results |
Does not validate the input fee parameter
Some fee parameters of functions are not checked for invalid values. Validate the parameters:
Code instances:
safeApprove of openZeppelin is deprecated
You use safeApprove of openZeppelin although it's deprecated.
(see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38)
You should change it to increase/decrease Allowance as OpenZeppilin says.
Code instance:
Require with empty message
The following requires are with empty messages.
This is very important to add a message for any require. So the user has enough information to know the reason of failure.
Code instance:
Not verified input
external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.
Code instances:
Solidity compiler versions mismatch
The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.
Code instance:
Init function calls an owner function
Code instances:
Not verified owner
Code instances:
Named return issue
Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing.
Furthermore, removing either the actual return or the named return will save gas.
Code instances:
Two Steps Verification before Transferring Ownership
The following contracts have a function that allows them an admin to change it to a different address. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked.
It is important to have two steps admin change where the first is announcing a pending new admin and the new address should then claim its ownership.
A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105
Code instance:
Missing non reentrancy modifier
The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer.
Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..
Code instances:
In the following public update functions no value is returned
In the following functions no value is returned, due to which by default value of return will be 0.
We assumed that after the update you return the latest new value.
(similar issue here: code-423n4/2021-10-badgerdao-findings#85).
Code instances:
Never used parameters
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
Dangerous usage of tx.origin
Use of tx.origin for authorization may be abused by a MITM malicious contract forwarding calls from the legitimate user who interacts with it. Use msg.sender instead.
Code instance:
Missing commenting
Code instances:
Check transfer receiver is not 0 to avoid burned money
Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.
Code instances:
In the following public update functions no value is returned
In the following functions no value is returned, due to which by default value of return will be 0.
We assumed that after the update you return the latest new value.
(similar issue here: code-423n4/2021-10-badgerdao-findings#85).
Code instances:
Never used parameters
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
Dangerous usage of tx.origin
Use of tx.origin for authorization may be abused by a MITM malicious contract forwarding calls from the legitimate user who interacts with it. Use msg.sender instead.
Code instance:
Missing commenting
Code instances:
Add a timelock
To give more trust to users: functions that set key/critical variables should be put behind a timelock.
Code instances:
Must approve 0 first
Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value.
They must first be approved by zero and then the actual allowance must be approved.
Code instance:
approve without approving 0 first DummyRouter.sol, 45, _token.approve(_spender, _amount);
Unbounded loop on array that can only grow can lead to DoS
A malicious attacker that is also a protocol owner can push unlimitedly to an array, that some function loop over this array.
If increasing the array size enough, calling the function that does a loop over the array will always revert since there is a gas limit.
This is a Med Risk issue since it can lead to DoS with a reasonable chance of having untrusted owner or even an owner that did a mistake in good faith.
Code instances:
Potential DoS
the balance of outputToken is checked to be exactly a specified value that is not declared in this specific function.
Therefore, a malicious user can transfer to the contract address tiny amount of tokens and the user transactions will always revert.
Code instances:
Override function but with different argument location
IYearnVault.sol.withdraw inherent IStakingVault.sol.withdraw but the parameters does not match
https://github.com/code-423n4/2022-06-nested/tree/main/contracts/interfaces/external/IStakingVault/IStakingVault.sol#L8
approve return value is ignored
Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean.
Calling these functions with the correct EIP20 function signatures will always revert.
Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value.
We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens.
The list of occurrences in format (solidity file, line number, actual line)
Code instance:
DummyRouter.sol, 45, _token.approve(_spender, _amount);
transfer return value of a general ERC20 is ignored
Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked (as there are some other tokens that returns false instead revert), that means you must
Another popular possibility is to add a whiteList.
Those are the appearances (solidity file, line number, actual line):
Code instances:
The text was updated successfully, but these errors were encountered: