QA Report #63
Labels
bug
Something isn't working
edited-by-warden
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
approve return value is ignored
Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean.
Calling these functions with the correct EIP20 function signatures will always revert.
Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value.
We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens.
The list of occurrences in format (solidity file, line number, actual line)
Code instances:
FraxlendPairCore.sol, 1102, _assetContract.approve(_swapperAddress, _borrowAmount);
FraxlendPairCore.sol, 1183, _collateralContract.approve(_swapperAddress, _collateralToSwap);
Unbounded loop on array can lead to DoS
The attacker can push unlimitedly to an array, that some function loop over this array.
If increasing the array size enough, calling the function that does a loop over the array will always revert since there is a gas limit.
This is an High Risk issue since those arrays are publicly allows to push items into them.
Code instance:
Mult instead div in compares
To improve algorithm precision instead using division in comparison use multiplication in the following scenario:
In all of the big and trusted contracts this rule is maintained.
Code instances:
Missing fee parameter validation
Some fee parameters of functions are not checked for invalid values. Validate the parameters:
Code instances:
safeApprove of openZeppelin is deprecated
You use safeApprove of openZeppelin although it's deprecated.
(see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38)
You should change it to increase/decrease Allowance as OpenZeppilin says.
Code instances:
Not verified input
external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.
Code instances:
Not verified owner
Code instances:
Named return issue
Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing.
Furthermore, removing either the actual return or the named return will save gas.
Code instances:
Two Steps Verification before Transferring Ownership
The following contracts have a function that allows them an admin to change it to a different address. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked.
It is important to have two steps admin change where the first is announcing a pending new admin and the new address should then claim its ownership.
A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105
Code instances:
Missing non reentrancy modifier
The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer.
Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..
Code instance:
Never used parameters
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
Check transfer receiver is not 0 to avoid burned money
Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.
Code instances:
Missing commenting
Code instances:
Add a timelock
To give more trust to users: functions that set key/critical variables should be put behind a timelock.
Code instances:
The text was updated successfully, but these errors were encountered: