QA Report #221
Labels
bug
Warden finding
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Low Risk Vulnerabilities
1.
settleVault
andsettleFractions
can be called even if proposal failedhttps://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/modules/Migration.sol#L225-L226
https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/modules/Migration.sol#L263-L264
It is possible to call
settleVault
andsettleFractions
even if the proposal failed to pass thepriceTarget
, as long as there is another party that succesfully did a buyout on the same vault.While there is no damage from calling these functions, it would lead to incorrect state and misleading event emissions.
Proof of Concept
settleVault
on the failed proposal to create a new vault, andsettleFractions
to mint new tokens and mark the vault as migrated.Recommended Mitigation Steps
Add a check in
settleVault
andsettleFractions
to ensure thatMigrator
is the proposer of the successful buyout:2. Function selectors might clash during
install
https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/Vault.sol#L73-L82
When installing new plugins in
Vault
, there is no check to ensure that new selectors did not clash with previously installed selectors. Unaware users might inadvertently replaced it and misused the function later.Recommended Mitigation Steps
Consider adding toggleable check in
install
to prevent accidental replacement of clashing selectors:3. Two-step ownership change
https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/Vault.sol#L93-L97
It is best practice to use a two-step pattern when updating critical variables such as contract ownership. An input mistake could cause vault ownership to be lost.
Recommended Mitigation Steps
Implement two-step pattern when transferring vault ownership:
transferOwnership
to set a pending new owner.acceptOwnership
to be called by the new owner to assume ownership.4.
FERC1155
royalty sanity checkhttps://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/FERC1155.sol#L217-L225
There is no sanity check when setting royalties. It is possible for a compromised or malicious controller to frontran a trade transaction by setting royalties to an unexpectedly high value, effectively stealing funds intended for the seller.
Recommended Mitigation Steps
Add a sanity check to ensure royalties cannot be set to an unreasonable amount:
Non-Critical Risk Vulnerabilities
1. Use inclusive operator when checking
targetPrice
https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/modules/Migration.sol#L206
When committing a migration proposal, the code checks that
currentPrice
must be higher thanproposal.targetPrice
.Using an inclusive operator
>=
might be more intuitive here.2. Typo
IMigration.sol#L25
propoal
should beproposal
.The text was updated successfully, but these errors were encountered: