Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #232

Open
code423n4 opened this issue Jun 19, 2022 · 3 comments
Open

QA Report #232

code423n4 opened this issue Jun 19, 2022 · 3 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Connext Amarok QA report

Low

Missing initializer in TokenRegistry

  function setLocalDomain(uint32 domain) public {
    _local = domain;
  }

The setLocalDomain in TokenRegistry is public with no modifier initializer. Related information is used later to decide whether _deployToken or not in ensureLocalToken as well as in the library AssetLogic, but due to the limited time, could not figure out ways to exploit this.

Non-critical

Two ProposedOwnableUpgradeables

  • ProposedOwnable.sol:176
  • ProposedOwnableUpgradeable.sol:26
    There are two ProposedOwnableUpgradeable contracts. One is in the helpers directory and the other is in the shared/ProposedOwnable.sol which is inheriting ProposedOwnable. The ProposedOwnableUpgradeable from helpers is seemingly not used within this repo.

setContractOwner function zero address check in LibDiamond

  • LibDiamond.sol:54-59
    The setContractOwner does not have zero address check and should not have zero address check as it will be used in the ProposedOwnableFacet to renounceOwnership. So, setContractOwner doubles as set and renounce the ownership. It may be safer to separate those usages. For example, this setContractOwner was used in the test implementation of Connext without zero address check. If it is the intended usage of this library for the future, it may be safeguarded in the library level.

Misleading comment in ProposedOwnableFacet and others

  /**
   * @notice Transfers ownership of the contract to a new account (`newOwner`).
   * Can only be called by the current owner.
   */
  function acceptProposedOwner() public onlyProposed {

The acceptProposedOwner can only be called by the proposed owner, yet the comment says it can only be called by the current owner.
Also ProposedOwnableFacet ProposedOwnableUpgradeable has a Natspec, with the title ProposedOwnable.

Out of Scope

TODO in the UpgradeBeaconController

// TODO: upgrade to `ProposedOwnable`
contract UpgradeBeaconController is Ownable {

TODO comment mentions to upgrade to ProposedOwnable, however, unlike the openzeppelin's contract, the ProposedOwnable in this repos does not implement a constructor, presumably because it was going to be used as an implementation of a proxy. But the UpgradeBeaaconController to function as a controller, it needs owner. If a new contract named ProposedOwnable was going to be written, it may be confusing because it will only be distinguished by the import path.
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Jun 19, 2022
code423n4 added a commit that referenced this issue Jun 19, 2022
@code423n4
zzzitron issue #232
fc40bf0
@ecmendenhall
Copy link

The Low finding here ("Missing initializer in TokenRegistry") is a duplicate of #54.

@jakekidd
Copy link
Collaborator

jakekidd commented Jul 2, 2022

TokenRegistry out of scope

@0xleastwood
Copy link
Collaborator

First part is incorrect: See #72.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ecmendenhall @jakekidd @0xleastwood @code423n4