Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA Report #66

Open
code423n4 opened this issue Jun 25, 2022 · 0 comments
Open

QA Report #66

code423n4 opened this issue Jun 25, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Must approve 0 first

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value.
They must first be approved by zero and then the actual allowance must be approved.

Code instances:

approve without approving 0 first Staking.sol, 78, IERC20(TOKE_POOL).approve(CURVE_POOL, type(uint256).max);

approve without approving 0 first Staking.sol, 91, IERC20Upgradeable(TOKE_TOKEN).approve(COW_RELAYER, type(uint256).max);

approve without approving 0 first Staking.sol, 82, IERC20(STAKING_TOKEN).approve(TOKE_POOL, type(uint256).max);

Add a timelock

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

Code instances:

    https://github.com/code-423n4/2022-06-yieldy/tree/main/src/contracts/Staking.sol#L167
    https://github.com/code-423n4/2022-06-yieldy/tree/main/src/contracts/LiquidityReserve.sol#L92
    https://github.com/code-423n4/2022-06-yieldy/tree/main/src/contracts/Staking.sol#L226
    https://github.com/code-423n4/2022-06-yieldy/tree/main/src/contracts/Staking.sol#L177

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    ERC20Upgradeable.sol: function _beforeTokenTransfer parameter from isn't used. (_beforeTokenTransfer is internal)
    ERC20Upgradeable.sol: function _afterTokenTransfer parameter to isn't used. (_afterTokenTransfer is internal)

Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/2022-06-yieldy/tree/main/src/contracts/LiquidityReserve.sol#L198
    https://github.com/code-423n4/2022-06-yieldy/tree/main/src/contracts/Staking.sol#L132
    https://github.com/code-423n4/2022-06-yieldy/tree/main/src/contracts/Migration.sol#L48

Does not validate the input fee parameter

Some fee parameters of functions are not checked for invalid values. Validate the parameters:

Code instances:

    LiquidityReserve.setFee (_fee)
    Staking.setAffiliateFee (_affiliateFee)
    Staking.initialize (_feeAddress)

Require with not comprehensive message

The following requires has a non comprehensive messages.
This is very important to add a comprehensive message for any require. Such that the user has enough
information to know the reason of failure:

Code instance:

    Solidity file: Yieldy.sol, In line 257 with Require message: Max supply

Not verified input

external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    Staking.sol.initialize _stakingToken
    Staking.sol.initialize _tokeManager
    Yieldy.sol.transferFrom _to
    ERC20Upgradeable.sol.approve spender

Not verified claimer

If a functions gets as input a claimer param, then it should make sure the claimer address is not address(0).
Otherwise it will cause to loss of the funds or access.

Code instance:

    Staking.sol.transferToke _claimAddress

Solidity compiler versions mismatch

The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.

Code instance:

Not verified owner

    owner param should be validated to make sure the owner address is not address(0).
    Otherwise if not given the right input all only owner accessible functions will be unaccessible.

Code instance:

    ERC20PermitUpgradeable.sol.permit owner

Init frontrun

Most contracts use an init pattern (instead of a constructor) to initialize contract parameters. Unless these are enforced to be atomic with contact deployment via deployment script or factory contracts, they are susceptible to front-running race conditions where an attacker/griefer can front-run (cannot access control because admin roles are not initialized) to initially with their own (malicious) parameters upon detecting (if an event is emitted) which the contract deployer has to redeploy wasting gas and risking other transactions from interacting with the attacker-initialized contract.

Many init functions do not have an explicit event emission which makes monitoring such scenarios harder. All of them have re-init checks; while many are explicit some (those in auction contracts) have implicit reinit checks in initAccessControls() which is better if converted to an explicit check in the main init function itself.
(details credit to: code-423n4/2021-09-sushimiso-findings#64)
The vulnerable initialization functions in the codebase are:

Code instances:

    LiquidityReserve.sol, initialize, 36
    Staking.sol, initialize, 38
    Yieldy.sol, initialize, 29

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    ERC20Upgradeable.sol: function _beforeTokenTransfer parameter from isn't used. (_beforeTokenTransfer is internal)
    ERC20Upgradeable.sol: function _afterTokenTransfer parameter to isn't used. (_afterTokenTransfer is internal)
    ERC20Upgradeable.sol: function _beforeTokenTransfer parameter to isn't used. (_beforeTokenTransfer is internal)
    ERC20Upgradeable.sol: function _afterTokenTransfer parameter amount isn't used. (_afterTokenTransfer is internal)
    ERC20Upgradeable.sol: function _afterTokenTransfer parameter from isn't used. (_afterTokenTransfer is internal)
    ERC20Upgradeable.sol: function _beforeTokenTransfer parameter amount isn't used. (_beforeTokenTransfer is internal)

safeApprove of openZeppelin is deprecated

You use safeApprove of openZeppelin although it's deprecated.
(see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38)
You should change it to increase/decrease Allowance as OpenZeppilin says.

Code instances:

    Deprecated safeApprove in LiquidityReserve.sol line 80: IERC20Upgradeable(rewardToken).approve(
    Deprecated safeApprove in Migration.sol line 31: IERC20Upgradeable(stakingToken).approve(
    Deprecated safeApprove in Staking.sol line 83: IERC20Upgradeable(YIELDY_TOKEN).approve(

Unbounded loop on array that can only grow can lead to DoS

A malicious attacker that is also a protocol owner can push unlimitedly to an array, that some function loop over this array.
If increasing the array size enough, calling the function that does a loop over the array will always revert since there is a gas limit.
This is a Med Risk issue since it can lead to DoS with a reasonable chance of having untrusted owner or even an owner that did a mistake in good faith.

Code instances:

    BatchRequests.sol (L33): Unbounded loop on the array contracts that can be publicly pushed by ['addAddress'] and can't be pulled
    BatchRequests.sol (L14): Unbounded loop on the array contracts that can be publicly pushed by ['addAddress'] and can't be pulled
    BatchRequests.sol (L89): Unbounded loop on the array contracts that can be publicly pushed by ['addAddress'] and can't be pulled

Duplicates in array

    You allow in some arrays to have duplicates. Sometimes you assumes there are no duplicates in the array.

Code instance:

BatchRequests.addAddress pushed (_address)

@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Jun 25, 2022
code423n4 added a commit that referenced this issue Jun 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Development

No branches or pull requests

1 participant