QA Report #6
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
sponsor todo
Title: Add a timelock
Severity: Low Risk
To give more trust to users: functions that set key/critical variables should be put behind a timelock.
Title: Require with empty message
Severity: Low Risk
The following requires are with empty messages.
This is very important to add a message for any require. Such that the user has enough
information to know the reason of failure:
Title: Solidity compiler versions mismatch
Severity: Low Risk
The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.
Title: Require with not comprehensive message
Severity: Low Risk
The following requires has a non comprehensive messages.
This is very important to add a comprehensive message for any require. Such that the user has enough
information to know the reason of failure:
Title: Named return issue
Severity: Low Risk
Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing.
Furthermore, removing either the actual return or the named return will save gas.
Title: Duplicates in array
Severity: Low Risk
FlywheelCore._addStrategyForRewards pushed (strategy)
{
require(strategyState[strategy].index == 0, "strategy");
Title: Check transfer receiver is not 0 to avoid burned money
Severity: Low Risk
Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.
Title: Assert instead require to validate user inputs
Severity: Low Risk
Title: Not verified input
Severity: Low Risk
Title: transfer return value of a general ERC20 is ignored
Severity: High Risk
Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked (as there are some other tokens that returns false instead revert), that means you must
Check the transfer return value
Another popular possibility is to add a whiteList.
Those are the appearances (solidity file, line number, actual line):
The text was updated successfully, but these errors were encountered: