QA Report #16
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
code423n4
added
bug
|
Thanks |
Closed
|
Merging with #15 |
|
Merging with #14 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Low
Centralized risks
Owner can change the thresholds wherever he wants.
Also he can change the penalties, and it could facilitate a front-running issues with bad actors.
PROTOCOL_FEE_BPScould be higher than factor (10_000) and it could facilitate a front-running or denial of services with bad actors.Unfair staking increase
If the user makes any changes or
changeDuration, the staking timestamp is reset and loses all the time already spent in the previous deposit.Affected source code:
No compatible with fee tokens
The current lock logic does not contemplate ERC20 tokens with fee during the
transferFrom, therefore, the amount received byBribeVaultwill be less than the expected.Some tokens may implement a fee during transfers, this is the case of USDT, even though the project has currently set it to 0. So, the transferFrom function would return
truedespite receiving less than expected.It's recommended to use balance difference in:
Ownable / Pausable
The contract
InfinityStakerisOwnableandPausable, so the owner could resign while the contract is paused, causing a Denial of Service. Owner resignation while paused should be avoided.Affected source code:
Lack of ACK during owner change
It's possible to lose the ownership under specific circumstances.
Because an human error it's possible to set a new invalid owner. When you want to change the owner's address it's better to propose a new owner, and then accept this ownership with the new wallet.
Affected source code:
requestChange(ADMIN,X):Ownable:Lack of checks
The following methods have a lack checks if the received argument is an address, it's good practice in order to reduce human error to check that the address specified in the constructor or initialize is different than
address(0).Affected source code:
address(0):Integer values:
Non critical
Update packages
The packages used are out of date, it is good practice to use the latest version of these packages:
Use
encodeinstead ofencodePackedfor hashigUse of abi.encodePacked in
ConnextMessageis safe, but unnecessary and not recommended.abi.encodePackedcan result in hash collisions when used with two dynamic arguments (string/bytes).There is also discussion of removing
abi.encodePackedfrom future versions of Solidity (ethereum/solidity#11593), so usingabi.encodenow will ensure compatibility in the future.Affected source code:
The text was updated successfully, but these errors were encountered: