Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #142

Open
code423n4 opened this issue May 18, 2022 · 2 comments
Open

QA Report #142

code423n4 opened this issue May 18, 2022 · 2 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Floating pragma

Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
https://swcregistry.io/docs/SWC-103

Lines of code

Pretty much all the contracts, some of which are below
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemicTokenV1.sol#L2
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemicTokenV2.sol#L2
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemicTokenV2Base.sol#L2
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemistV2.sol#L1

Missing non-zero address check

It is a good practice to include non-zero address check especially when updating important addresses. I suggest to include a non-zero address check for transferOwnership()

Lines of code

https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/gALCX.sol#L39

It would be better to make transferOwnership() as a two-step process

transferOwnership() is called by the current owner to change the owner address. It can be a better approach to follow a 2-step process when updating such priviliged addresses
First transaction proposes the pending owner address, second transaction which can only be called by the proposed address accepts the role.
A similar 2-step approach is implemented in AlchemistV2.sol for admin update using setPendingAdmin() and acceptAdmin().

Lines of code

https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/gALCX.sol#L39
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 18, 2022
code423n4 added a commit that referenced this issue May 18, 2022
@code423n4
catchup issue #142
551d182
@0xfoobar
Copy link
Collaborator

Sponsor disputed

  • floating pragmas are useful for testing version upgrades against the same codebase
  • transferOwnership to a zero address is useful for burning the admin keys
  • a two-step process is certainly possible but we decided against it here

@itsmetechjay itsmetechjay reopened this May 31, 2022
@0xleastwood 0xleastwood mentioned this issue Jun 5, 2022
Closed
@0xleastwood
Copy link
Collaborator

Agree with sponsor but the last suggestion + #141 have some validity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@0xleastwood @code423n4 @0xfoobar @itsmetechjay