Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #310

Open
code423n4 opened this issue May 25, 2022 · 0 comments
Open

QA Report #310

code423n4 opened this issue May 25, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

QA (LOW & NON-CRITICAL)

  • Floating Pragma used in Aura.sol, AuraBalRewardPool.sol, AuraClaimZap.sol, AuraMath.sol, AuraMerkleDrop.sol, AuraMinter.sol, AuraPenaltyForwarder.sol, AuraStakingProxy.sol, AuraVestedEscrow.sol, BalLiquidityProvider.sol, ClaimFeesHelper.sol, ExtraRewardsDistributor.sol. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma (i.e. by not using ^) helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
    Reference

  • The whole project have different solidity compiler ranges ( 0.6.12 - 0.8.11) referenced. This leads to potential security flaws between deployed contracts depending on the compiler version chosen for any particular file. It also greatly increases the cost of maintenance as different compiler versions have different semantics and behavior.

  • The project uses Solidity version 0.6.12. Using an old version prevents access to new Solidity security checks. However the current version is 0.8.14 with more benefits and less bugs.

  • The project uses deprecated safeApprove in AuraBalRewardPool.sol, AuraClaimZap.sol, AuraLocker.sol, AuraMerkleDrop.sol, AuraPenaltyForwarder.sol, AuraStakingProxy.sol, AuraVestedEscrow.sol, BalLiquidityProvider.sol, CrvDepositorWrapper.sol, BaseRewardPool4626.sol, Booster.sol, CrvDepositor.sol, VoterProxy.sol Link

  • transfer and safeTransfer methods are used inside the codebase. Since these methods use 2300 gas stipend which is not adjustable, it may likely to get broken when calling a contract's fallback function.
    Reference Link -1, Reference Link -2

  • The distributeOther() function can be re-entered by fake tokens or tokens with callbacks. Reference
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels May 25, 2022
code423n4 added a commit that referenced this issue May 25, 2022
@code423n4
sorrynotsorry issue #310
7d6315e
@0xMaharishi 0xMaharishi added the duplicate This issue or pull request already exists label May 28, 2022
@dmvt dmvt removed the duplicate This issue or pull request already exists label Jul 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmvt @code423n4 @0xMaharishi