Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #6

Open
code423n4 opened this issue Apr 21, 2022 · 2 comments
Open

QA Report #6

code423n4 opened this issue Apr 21, 2022 · 2 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sponsor todo

Comments

@code423n4
Copy link
Contributor

Title: Add a timelock
Severity: Low Risk

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

    https://github.com/code-423n4/2022-04-xtribe/tree/main/LIB/flywheel-v2/FlywheelCore.sol#L165
    https://github.com/code-423n4/2022-04-xtribe/tree/main/LIB/flywheel-v2/FlywheelGaugeRewards.sol#L273
    https://github.com/code-423n4/2022-04-xtribe/tree/main/LIB/flywheel-v2/FlywheelCore.sol#L183

Title: Require with empty message
Severity: Low Risk

The following requires are with empty messages.
This is very important to add a message for any require. Such that the user has enough
information to know the reason of failure:

    Solidity file: FlywheelGaugeRewards.sol, In line 114 with Empty Require message.
    Solidity file: FlywheelGaugeRewards.sol, In line 195 with Empty Require message.
    Solidity file: FlywheelGaugeRewards.sol, In line 200 with Empty Require message.

Title: Solidity compiler versions mismatch
Severity: Low Risk

The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.

Title: Require with not comprehensive message
Severity: Low Risk

The following requires has a non comprehensive messages.
This is very important to add a comprehensive message for any require. Such that the user has enough
information to know the reason of failure:

    Solidity file: FlywheelCore.sol, In line 147 with Require message: strategy

Title: Named return issue
Severity: Low Risk

Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing.
Furthermore, removing either the actual return or the named return will save gas.

    FlywheelGaugeRewards.sol, getAccruedRewards

Title: Duplicates in array
Severity: Low Risk

    You allow in some arrays to have duplicates. Sometimes you assumes there are no duplicates in the array.

FlywheelCore._addStrategyForRewards pushed (strategy)
{
require(strategyState[strategy].index == 0, "strategy");

    allStrategies.push(strategy);
    emit AddStrategy(address(strategy));
}

Title: Check transfer receiver is not 0 to avoid burned money
Severity: Low Risk

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

   flywheel-v2/FlywheelCore.sol#L168
   flywheel-v2/FlywheelCore.sol#L125
   xTRIBE.sol#L134
   xTRIBE.sol#L149

Title: Assert instead require to validate user inputs
Severity: Low Risk

    From solidity docs: Properly functioning code should never reach a failing assert statement; if this happens there is a bug in your contract which you should fix.
    With assert the user pays the gas and with require it doesn't. The ETH network gas isn't cheap and users can see it as a scam.
    
    FlywheelGaugeRewards.sol : reachable assert in line 195
    FlywheelGaugeRewards.sol : reachable assert in line 234

Title: Not verified input
Severity: Low Risk

external / public functions parameters should be validated to make sure the address is not 0.
Otherwise if not given the right input it can mistakenly lead to loss of user funds.

    
    FlywheelCore.sol.accrue user
    FlywheelCore.sol.claimRewards user
    xTRIBE.sol.transferFrom to
    xTRIBE.sol.transferFrom from
    xTRIBE.sol.transfer to

Title: transfer return value of a general ERC20 is ignored
Severity: High Risk

Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked (as there are some other tokens that returns false instead revert), that means you must

  1. Check the transfer return value
    Another popular possibility is to add a whiteList.
    Those are the appearances (solidity file, line number, actual line):

    xTRIBE.sol, 134 (transfer), return ERC20.transfer(to, amount);
xTRIBE.sol, 149 (transferFrom), return ERC20.transferFrom(from, to, amount);
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Apr 21, 2022
code423n4 added a commit that referenced this issue Apr 21, 2022
@code423n4
robee issue #6
37d9c2d
@Joeysantoro
Copy link
Collaborator

Joeysantoro commented Apr 26, 2022
edited

Disputing the high risk issue as invalid. ERC20 is using inheritance to return the result of the transfer call of xTRIBE itself, this is not an external call.

@Joeysantoro Joeysantoro added disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) invalid This doesn't seem right sponsor todo labels Apr 26, 2022
@Joeysantoro Joeysantoro mentioned this issue Apr 27, 2022
Open
@liveactionllama liveactionllama added sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue and removed invalid This doesn't seem right labels May 13, 2022
@0xean
Copy link
Collaborator

0xean commented May 20, 2022

Warden - QA reports should not contain high risk issues. Additionally, the sponsor is correct here and the ERC20 implementation in use is known.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sponsor todo
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@0xean @Joeysantoro @code423n4 @liveactionllama