QA Report

[code423n4]

Low Risk
...............................................................

1. The initialize function that initializes important contract state can be called by anyone.
   See:

• GeneralVault.initialize() - https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/GeneralVault.sol#L61-L63
• CollateralAdapter.initialize() - https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/CollateralAdapter.sol#L35-L37
• YieldManager.initialize() - https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/YieldManager.sol#L60-L62

##Impact##
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract.

##Recommended Mitigation Steps##
Use the constructor to initialize non-proxied contracts.
For initializing proxy contracts deploy contracts using a factory contract that immediately calls initialize after deployment or make sure to call it immediately after deployment and verify the transaction succeeded.

---

2. Missing critical events and emits

YieldManager.setCurvePool() , YieldManager.registerAsset(), YieldManager.setExchangeToken(), LidoVault._withdrawFromYieldPool() and other withdraw functions

Tools Used

Manual review

Recommended Mitigation Steps

Add emit for the appropriate event for this function.

[HickupHH3]

Low: missing approve(0)
NC: init frontrunning, event emission, zero address check