QA Report #75
Assignees
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
code423n4
added
bug
Duplicate of #11
As mentioned in a previous issue, we set this value in our deploy script, this way we are sure the Ticket contract and the yield source share the same number of decimals.
Duplicate of #1
Duplicate of #4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1. Obsolete usage of SafeMath
Risk
Low
Impact
Contract
AaveV3YieldSourceis usingSafeMathlibrary foruint256. The contract is prepared for solidity0.8.10and using SafeMath is obsolete since the overflow/underflow security checks are built-in and done automatically for solidity versions>= 0.8.0for all calculations unless marked withunchecked {}.Proof of Concept
Used Tools
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to remove
SafeMathfrom the contract.2. Invalid setting decimals
Risk
Low
Impact
Constructor
AaveV3YieldSource.constructorallows settingdecimalsvalue in constructor. Based on the comments in the code the value of decimals should be equal to the decimals of the token used to deposit into the pool. Setting it by the user who is deploying the contract makes the process prone to errors.Comment in
AaveV3YieldSourcecontract:Proof of Concept
Used Tools
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to set
_decimalsby making external call toaToken.decimals().3. Use immutable storage variables
Risk
Non-Critical
Impact
Contract
AaveV3YieldSourcehas multiple storage addresses that are only set in constructor but are not marked as immutable.Proof of Concept
IAToken public aToken- https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L127IRewardsController public rewardsController- https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L130IPoolAddressesProviderRegistry public poolAddressesProviderRegistry- https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L133Used Tools
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to mark listed storage variables as immutable.
4. Redundant code for checking aToken address
Risk
Non-Critical
Impact
Function
AaveV3YieldSource.transferERC20is checking if the passed_tokenaddress argument is not aaTokenaddress. Since there is already defined function_requireNotATokenthat performs such a check it is better to reuse existing implementation.Proof of Concept
Used Tools
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to use
_requireNotATokeninAaveV3YieldSource.transferERC20function.The text was updated successfully, but these errors were encountered: