QA Report

[code423n4]

Require with empty message

The following requires are with empty messages.
This is very important to add a message for any require. So the user has enough information to know the reason of failure.

Code instances:

    Solidity file: WETH9.sol, In line 55 with Empty Require message.
    Solidity file: WETH9.sol, In line 29 with Empty Require message.

Not verified input

external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    FETH.sol.approve spender
    WETH9.sol.transfer dst
    FETHMarketMock.sol.marketChangeLockup unlockFrom
    MinterRole.sol.grantMinter account

Hardcoded WETH

WETH address is hardcoded but it may differ on other chains, e.g. Polygon,
so make sure to check this before deploying and update if necessary
You should consider injecting WETH address via the constructor.
(previous issue: code-423n4/2021-10-ambire-findings#54)

Code instance:

    Hardcoded weth address in FETH.sol

Init frontrun

Most contracts use an init pattern (instead of a constructor) to initialize contract parameters. Unless these are enforced to be atomic with contact deployment via deployment script or factory contracts, they are susceptible to front-running race conditions where an attacker/griefer can front-run (cannot access control because admin roles are not initialized) to initially with their own (malicious) parameters upon detecting (if an event is emitted) which the contract deployer has to redeploy wasting gas and risking other transactions from interacting with the attacker-initialized contract.

Many init functions do not have an explicit event emission which makes monitoring such scenarios harder. All of them have re-init checks; while many are explicit some (those in auction contracts) have implicit reinit checks in initAccessControls() which is better if converted to an explicit check in the main init function itself.
(details credit to: code-423n4/2021-09-sushimiso-findings#64)
The vulnerable initialization functions in the codebase are:

Code instances:

    NFTDropCollection.sol, initialize, 120
    NFTDropMarket.sol, initialize, 100
    NFTCollection.sol, initialize, 105
    SequentialMintCollectionMock.sol, initializeWithModifier, 10
    PercentSplitETH.sol, initialize, 129
    NFTCollectionFactory.sol, initialize, 192
    FoundationTreasury.sol, initialize, 66

Named return issue

Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing.
Furthermore, removing either the actual return or the named return will save gas.

Code instances:

    BasicERC721.sol, balanceOf
    FETH.sol, transferFrom
    FETH.sol, marketLockupFor

In the following public update functions no value is returned

In the following functions no value is returned, due to which by default value of return will be 0.
We assumed that after the update you return the latest new value.
(similar issue here: code-423n4/2021-10-badgerdao-findings#85).

Code instances:

    NFTDropCollection.sol, updateMaxTokenId
    NFTCollectionFactory.sol, adminUpdateNFTCollectionImplementation
    NFTCollectionFactory.sol, adminUpdateNFTDropCollectionImplementation
    NFTCollection.sol, updateMaxTokenId
    NFTCollection.sol, updateBaseURI
    NFTDropCollection.sol, updatePreRevealContent

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    OZERC165Checker.sol: function supportsERC165InterfaceUnchecked parameter account isn't used. (supportsERC165InterfaceUnchecked is internal)
    FETHMarketMock.sol: function marketChangeLockup parameter unlockAmount isn't used. (marketChangeLockup is external)
    FETHMarketMock.sol: function marketLockupFor parameter amount isn't used. (marketLockupFor is public)
    MockRoyaltyRegistry.sol: function setRoyaltyLookupAddress parameter tokenAddress isn't used. (setRoyaltyLookupAddress is external)
    FETHMarketMock.sol: function marketChangeLockup parameter depositFor isn't used. (marketChangeLockup is external)
    FETHMarketMock.sol: function marketChangeLockup parameter depositAmount isn't used. (marketChangeLockup is external)
    SendValueWithFallbackWithdraw.sol: function _sendValueWithFallbackWithdraw parameter gasLimit isn't used. (_sendValueWithFallbackWithdraw is internal)
    FETHMarketMock.sol: function marketLockupFor parameter account isn't used. (marketLockupFor is public)
    FETHMarketMock.sol: function marketChangeLockup parameter unlockExpiration isn't used. (marketChangeLockup is external)
    FETHMarketMock.sol: function marketChangeLockup parameter unlockFrom isn't used. (marketChangeLockup is external)
    MockRoyaltyRegistry.sol: function setRoyaltyLookupAddress parameter royaltyAddress isn't used. (setRoyaltyLookupAddress is external)

Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/mocks/BasicERC721.sol#L263
    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/FETH.sol#L383
    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/PercentSplitETH.sol#L236
    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/FETH.sol#L267
    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/mocks/BasicERC721.sol#L244

Missing commenting

    The following functions are missing commenting as describe below:

Code instance:

    FETHNode.sol, _tryUseFETHBalance (internal), parameters totalAmount, shouldRefundSurplus not commented

Add a timelock

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

Code instances:

    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/mocks/RoyaltyRegistry/MockRoyaltyRegistry.sol#L9
    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/mocks/FETHMarketMock.sol#L14
    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/mocks/BasicERC721.sol#L81

Unsafe Cast

use openzeppilin's safeCast in:

Code instances:

    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/FETH.sol#L514 : unsafe cast uint32(escrowIndex)
    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/FETH.sol#L615 : unsafe cast uint96(amount)
    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/FETH.sol#L498 : unsafe cast uint96(amount)
    https://github.com/code-423n4/2022-08-foundation/tree/main/contracts/FETH.sol#L393 : unsafe cast uint96(amount)

transfer return value of a general ERC20 is ignored

Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked (as there are some other tokens that returns false instead revert), that means you must

1. Check the transfer return value
   Another popular possibility is to add a whiteList.
   Those are the appearances (solidity file, line number, actual line):

Code instances:

    PercentSplitETH.sol, 245 (_splitERC20Tokens), try erc20Contract.transfer(_shares[0].recipient, amountToSend) {
    PercentSplitETH.sol, 236 (_splitERC20Tokens), try erc20Contract.transfer(share.recipient, amountToSend) {

[HardlyDifficult]

Require with empty message

Invalid - this is a mock contract.

Not verified input

FETH and mocks were out of scope.
For MinterRole we wanted to remain consistent with grantRole from the OZ implementation which would still be publicly available.

Hardcoded WETH

Invalid, we don't use WETH.

Use constructor to initialize templates

Agree this is a good best practice to add. Will fix.

Named return issue

Invalid - mocks and FETH were out of scope.

In the following public update functions no value is returned

Invalid. These functions do not have a return value and they don't seem to require one.

Never used parameters

Invalid - those examples appear to have valid use cases.

Check transfer receiver is not 0 to avoid burned money

Invalid. Those contracts were out of scope.

Missing natspec comments

Fair feedback -- for natspec we aim for complete coverage of the public interfaces but for internal/private/libraries we have some gaps in order to reduce redundancy, for those we aim to include comments where things are unclear or not obvious from the function and variable names.

Add a timelock

Fair feedback and we may revisit this in the future.

Unsafe Cast

Invalid. FETH was out of scope.

transfer return value of a general ERC20 is ignored

Invalid. PercentSplitETH was out of scope.