Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #206

Open
code423n4 opened this issue May 24, 2022 · 0 comments
Open

QA Report #206

code423n4 opened this issue May 24, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Low risk issues

Unspecific compiler version pragma

Information :
L003 - Unspecific Compiler Version Pragma
Consensys Audit of 1inch
Solidity docs

Instances include :

ClaimFeesHelper.sol:2:pragma solidity ^0.8.11;
mocks/MockAuraMath.sol:2:pragma solidity ^0.8.11;
AuraVestedEscrow.sol:2:pragma solidity ^0.8.11;
BalLiquidityProvider.sol:2:pragma solidity ^0.8.11;
AuraStakingProxy.sol:2:pragma solidity ^0.8.11;
AuraLocker.sol:2:pragma solidity ^0.8.11;
AuraMinter.sol:2:pragma solidity ^0.8.11;
AuraMerkleDrop.sol:2:pragma solidity ^0.8.11;
Aura.sol:2:pragma solidity ^0.8.11;
ExtraRewardsDistributor.sol:2:pragma solidity ^0.8.11;
AuraBalRewardPool.sol:2:pragma solidity ^0.8.11;
AuraMath.sol:2:pragma solidity ^0.8.11;
AuraPenaltyForwarder.sol:2:pragma solidity ^0.8.11;
AuraClaimZap.sol:2:pragma solidity ^0.8.11;

Recommendation

It is recommended to use a concrete compiler version, for example :

ClaimFeesHelper.sol:2:pragma solidity 0.8.11;

Don't use deprecated library functions

Information :
L005 - Do not use Deprecated Library Functions
SafeERC20.sol - safeApprove

Instances include :

AuraVestedEscrow.sol:186:            rewardToken.safeApprove(address(auraLocker), claimable);
BalLiquidityProvider.sol:59:            tkn.safeApprove(address(bVault), 0);
BalLiquidityProvider.sol:60:            tkn.safeApprove(address(bVault), bal);
CrvDepositorWrapper.sol:52:        IERC20(WETH).safeApprove(address(BALANCER_VAULT), type(uint256).max);
CrvDepositorWrapper.sol:53:        IERC20(BAL).safeApprove(address(BALANCER_VAULT), type(uint256).max);
AuraStakingProxy.sol:147:        IERC20(crv).safeApprove(crvDepositorWrapper, 0);
AuraStakingProxy.sol:148:        IERC20(crv).safeApprove(crvDepositorWrapper, type(uint256).max);
AuraStakingProxy.sol:150:        IERC20(cvxCrv).safeApprove(rewards, 0);
AuraStakingProxy.sol:151:        IERC20(cvxCrv).safeApprove(rewards, type(uint256).max);
AuraStakingProxy.sol:215:            _token.safeApprove(rewards, 0);
AuraStakingProxy.sol:216:            _token.safeApprove(rewards, type(uint256).max);
AuraLocker.sol:240:        IERC20(cvxCrv).safeApprove(cvxcrvStaking, 0);
AuraLocker.sol:241:        IERC20(cvxCrv).safeApprove(cvxcrvStaking, type(uint256).max);
AuraMerkleDrop.sol:131:            aura.safeApprove(address(auraLocker), 0);
AuraMerkleDrop.sol:132:            aura.safeApprove(address(auraLocker), _amount);
AuraBalRewardPool.sol:75:        rewardToken.safeApprove(_auraLocker, type(uint256).max);
AuraPenaltyForwarder.sol:41:        token.safeApprove(address(distributor), type(uint256).max);
AuraClaimZap.sol:98:        IERC20(crv).safeApprove(crvDepositWrapper, 0);
AuraClaimZap.sol:99:        IERC20(crv).safeApprove(crvDepositWrapper, type(uint256).max);
AuraClaimZap.sol:101:        IERC20(cvxCrv).safeApprove(cvxCrvRewards, 0);
AuraClaimZap.sol:102:        IERC20(cvxCrv).safeApprove(cvxCrvRewards, type(uint256).max);
AuraClaimZap.sol:104:        IERC20(cvx).safeApprove(locker, 0);
AuraClaimZap.sol:105:        IERC20(cvx).safeApprove(locker, type(uint256).max);

Recommendation

Usage of deprecated library functions, for instance safeApprove from OpenZeppelin's SafeERC20 library is discouraged, it is recommended to use safeIncreaseAllowance and safeDecreaseAllowance instead, for example :

AuraVestedEscrow.sol:186:            rewardToken.safeIncreaseAllowance(address(auraLocker), claimable);

Unsafe ERC20 Operation(s)

Information :
L001 - Unsafe ERC20 Operation(s)

Instances include :

mocks/balancer/MockBalancerVault.sol:67:            IERC20(tokenB).transferFrom(funds.sender, address(this), singleSwap.amount);
mocks/balancer/MockBalancerVault.sol:68:            IERC20(tokenA).transfer(funds.recipient, singleSwap.amount);
mocks/balancer/MockBalancerVault.sol:71:            IERC20(tokenA).transferFrom(funds.sender, address(this), singleSwap.amount);
mocks/balancer/MockBalancerVault.sol:72:            IERC20(tokenB).transfer(funds.recipient, singleSwap.amount);
mocks/curve/MockCurveVoteEscrow.sol:48:        IERC20(token).transferFrom(msg.sender, address(this), amount);
mocks/curve/MockCurveVoteEscrow.sol:58:        IERC20(token).transferFrom(msg.sender, address(this), amount);
mocks/curve/MockCurveVoteEscrow.sol:78:        IERC20(token).transfer(msg.sender, amount);
mocks/curve/MockCurveMinter.sol:21:        crv.transfer(msg.sender, rate);
mocks/curve/MockCurveGauge.sol:25:        IERC20(lp_token).transferFrom(msg.sender, address(this), amount);
mocks/curve/MockCurveGauge.sol:30:        IERC20(lp_token).transfer(msg.sender, amount);
mocks/curve/MockCurveGauge.sol:37:            IERC20(reward_tokens[i]).transfer(msg.sender, amount);

Recommendation

It is recommended to always use OpenZeppelin's SafeERC20 library, for example :

import {SafeERC20} from "openzeppelin/token/utils/SafeERC20.sol";
...
IERC20(tokenB).safeTransferFrom(funds.sender, address(this), singleSwap.amount);

Non-critical issues

Typos

Instances include:

distirbuted, constructoor, transferrable

Aura.sol:18: *          distirbuted along a supply curve (cliffs etc). Fork of ConvexToken.
ExtraRewardsDistributor.sol:33:     * @dev Simple constructoor
AuraBalRewardPool.sol:55:     * @dev Simple constructoor
mocks/curve/MockCurveVoteEscrow.sol:28:        revert("Not transferrable");
mocks/curve/MockCurveVoteEscrow.sol:36:        revert("Not transferrable");
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 24, 2022
code423n4 added a commit that referenced this issue May 24, 2022
@code423n4
Kaiziron issue #206
044429a
@0xMaharishi 0xMaharishi added the duplicate This issue or pull request already exists label May 27, 2022
@dmvt dmvt removed the duplicate This issue or pull request already exists label Jul 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmvt @code423n4 @0xMaharishi