Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #87

Open
code423n4 opened this issue May 2, 2022 · 1 comment
Open

QA Report #87

code423n4 opened this issue May 2, 2022 · 1 comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Issue #1 (Low) - Follow Check-Effects-Interactions Pattern

There is no reentrancy risk in PARMinerV2.withdraw(), though it is a recommended practice to follow the CEI pattern regardless. Send the withdrawal amount after decreasing the user's stake.

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/v2/PARMinerV2.sol#L101-L102

Issue #2 (Low) - All input addresses should be checked for the zero address

In the following initialize function, the input address for _owner should be required to not equal address(0).

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/InceptionVaultsCore.sol#L56

Issue #3 (Low) - Some tokens do not allow for Non-Zero to Non-Zero value approvals

USDT, for example, will not allow approving a non-zero amount and then approving another non-zero amount. The approval must be reset to zero before approving another amount. The following functions will fail on their subsequent calls.

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/v2/PARMinerV2.sol#L125
https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L97

Issue #4 (Low) - Front-runnable initializers

A couple initialize functions lack access control. They can be frontrun allowing for crucial variables to be improperly set. This would lead to the contract needing to be redeployed.

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/InceptionVaultsCore.sol#L40-L58
https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L49-L67

Issue #5 (Non-critical) - Consider renaming stake() to getStaked()

stake() sounds like an action, e.g. for a user to stake the token. Changing to something like getStaked() would indicate that it's a getter function.

Issue #6 (Non-critical) - Code Consistency: Change _userInfo.accAmountPerShare to _userInfo.accMimoAmountPerShare

    _userInfo.accAmountPerShare = _accMimoAmountPerShare;
    _userInfo.accParAmountPerShare = _accParAmountPerShare;

Both PAR variables contain "PAR". Only the global MIMO variable contains "MIMO". The user variable should contain "MIMO" in the name as well.

Issue #7 (Non-critical) - Typo in word "Collateral"

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/liquidityMining/v2/PARMinerV2.sol#L106

Issue #8 (Non-critical) - Typo in word "Threshold"

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/InceptionVaultsCore.sol#L87

Issue #9 (Non-critical) - Recommended practice to begin internal variables with underscore

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L102
https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L137
https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L187
https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L368
https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L354

Issue #10 (Non-critical) - Missing require exception messages

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L255
https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L247
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 2, 2022
code423n4 added a commit that referenced this issue May 2, 2022
@code423n4
0xDjango issue #87
cf1310b
@m19
Copy link
Collaborator

m19 commented May 8, 2022

We appreciate this QA report for clearly listing what could be improved and why. We also appreciate that the author included 1 and 3 in this QA report as opposed to med/high risk which saved everyone a bunch of time.

@code423n4 code423n4 mentioned this issue Jun 5, 2022
Closed
@gzeoneth gzeoneth mentioned this issue Jun 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@m19 @code423n4