QA Report #25
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Missing Zero Chcks
impact
Zero-address checks for input validation of address-type variables is a best-practice. While this is implemented in some places, there are missing ones.
POC
https://github.com/code-423n4/2022-03-rolla/blob/a06418c9cc847395f3699bdf684a9ac066651ed7/quant-protocol/contracts/
QuantCalculator.sol#L55-L57
strikeAssetDecimals and optionsFactory variables do not perform zero checks which could result in lose of funds or malfunctions.
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add zero-address checks
Arbitrary send
https://github.com/code-423n4/2022-03-rolla/blob/a06418c9cc847395f3699bdf684a9ac066651ed7/quant-protocol/contracts/timelock/TimelockController.sol#L414
impact
Unprotected call to a function sending Ether to an arbitrary address.
Tools Used
Manual Analysis
Recommended Mitigation Steps
Ensure that an arbitrary user cannot withdraw unauthorized funds.
The text was updated successfully, but these errors were encountered: