Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #103

Open
code423n4 opened this issue Jun 1, 2022 · 1 comment
Open

QA Report #103

code423n4 opened this issue Jun 1, 2022 · 1 comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

  1. Emit events for sensitive variable updates.

It would be great to emit an event before or after updating sensitive variables to make easy to track updates by community.

VE3Token.sol/setOperator()
VeTokenMinter.sol / addOperator()
VeTokenMinter.sol / removeOperator()
VE3DRewardPool.sol / addOperator()
VE3DRewardPool.sol / removeOperator()
RewardFactory.sol / addOperator()
RewardFactory.sol / removeOperator()
RewardFactory.sol / setAccess()
StashFactory / addOperator()
StashFactory / removeOperator()

Recommendation
Emit events before or after updating sensitive varaibles.

  1. OZ ERC20.safeApprove() function has been depreciated.

safeApprove() function of Openzeppelin’s ERC20 have been depreciated.
OpenZeppelin/openzeppelin-contracts#2268
OpenZeppelin/openzeppelin-contracts#2219
https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DRewardPool.sol#L287
https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DRewardPool.sol#L288
https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DRewardPool.sol#L301
https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DRewardPool.sol#L305
https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/Booster.sol#L374

Recommendation:
Use safeIncreaseAllowance or safeDecreaseAllowance functions instead.

  1. It looks like maxTime of VeAssetDepositor should be public
    Now, the maxTime of VeAssetDepositor.sol has been declared as a private, but I think this should be public.

Recommendation:
Check this variable again.

  1. Emit wrong event in stakeFor function of VE3DRewardPool.sol contract.

https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DRewardPool.sol#L249
In this line, the msg.sender is a VeAssetDepositor.sol contract or any other address which is different from user’s address.

Recommendation:
Emit event with actual user’s address.

  1. Some features of Booster.sol can be implemented by using OZ contracts.
  • There is owner variable and setOwner function, this can be implemented by inheriting OpenZeppelin Ownable contract.
  • There is isShutdown variable and shutdownSystem function, this can be implemented by inheriting OpenZeppelin Pausable contract.
  1. setRewardContracts of Booster.sol function could emit event without changes.
    setRewardContracts set values only if lockRewards is address(0), but event is emitted per each function call.

So if we use subgraph or anything else, it could lead to track wrong data.

Recommendation:
Emit RewardcontractsUpdated event inside condition.

  1. Some contracts didn’t inherit interfaces correctly.
    ITokenFactory is an interface of TokenFactory contract. However TokenFactory did not inherit ITokenFactory. This lead unexpected issue – ex. Interface has function, but implementation contract did not implement it.

IRewardFactory and RewardFactory are same case.

Recommendation:
Inherit interfaces, and override functions to avoid any unexpected issues in the future.
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Jun 1, 2022
code423n4 added a commit that referenced this issue Jun 1, 2022
@code423n4
SecureZeroX issue #103
23cb9ae
@GalloDaSballo
Copy link
Collaborator

Emit events for sensitive variable updates.

NC

OZ ERC20.safeApprove() function has been depreciated.

NC because of the code working properly

It looks like maxTime of VeAssetDepositor should be public

Valid refactor, value can still be retrieved via looking at constructor (or storage at)

Emit wrong event in stakeFor function of VE3DRewardPool.sol contract., setRewardContracts of Booster.sol function could emit event without changes.

NC

Some features of Booster.sol can be implemented by using OZ contracts.

Disagree, code would do the same thing, and would cost more gas

Some contracts didn’t inherit interfaces correctly.

Valid Refactor

2R 3 NC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GalloDaSballo @code423n4