QA Report #628
Labels
bug
Warden finding
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
QA Report
Table of Contents
Low
transfer
should be avoidedreceive()
functionsNon-critical
summary
Low issues
hash collision with abi.encodePacked
IMPACT
strings and bytes are encoded with padding when using
abi.encodePacked
. This can lead to hash collision when passing the result tokeccak256
SEVERITY
Low
PROOF OF CONCEPT
Instances include:
src/FERC1155.sol
TOOLS USED
Manual Analysis
MITIGATION
Use
abi.encode()
instead.Native
transfer
should be avoidedIMPACT
In
Migration
, the.transfer()
method is used to transfer ETH.The
transfer()
call requires that the recipient has a payable callback, only provides 2300 gas for its operation. This means the following cases can cause the transfer to fail:SEVERITY
Low
PROOF OF CONCEPT
Instances include:
src/modules/Migration.sol
TOOLS USED
Manual Analysis
MITIGATION
Use
.call()
to send ETH instead.Return value of ERC20.transferFrom unchecked
IMPACT
Some ERC20 implementations do not revert upon a fail
transfer/transferFrom
call, but returnfalse
instead. Not checking the return values of these calls can hence lead to silent failures of tokens transfers.SEVERITY
Low
PROOF OF CONCEPT
Instances include:
src/modules/protoforms/BaseVault.sol
65: IERC20(_tokens[i]).transferFrom(_from, _to, _amounts[i]);
TOOLS USED
Manual Analysis
MITIGATION
Check the return value of these calls to ensure they are not
0
Setters and constructors should check the input value
PROBLEM
Setters and constructors should check the input value for addresses - ie revert if
address(0)
is assigned toaddress
variables.SEVERITY
Low
PROOF OF CONCEPT
Instances include:
src/modules/protoforms/BaseVault.sol
src/modules/Buyout.sol
src/modules/Migration.sol
src/modules/Minter.sol
src/references/SupplyReference.sol
src/targets/Supply.sol
TOOLS USED
Manual Analysis
MITIGATION
Add non-zero checks
Unused
receive()
functionsIMPACT
Vault
andBuyout
have an emptyreceive()
function, but do not have any withdrawal function. Any ETH mistakenly sent to these contracts with emptymsg.data
would be locked.SEVERITY
Low
PROOF OF CONCEPT
2 instances include:
src/Vault.sol
https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/Vault.sol#L32
32: receive() external payable {}
src/modules/Buyout.sol#L53
https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/modules/Buyout.sol#L53
53: receive() external payable {}
TOOLS USED
Manual Analysis
MITIGATION
Removes these functions or implement the appropriate logic in these empty blocks
Non-critical issues
Constants instead of magic numbers
PROBLEM
It is best practice to use constant variables rather than literal values (100, 1000, etc) to make the code easier to understand and maintain.
SEVERITY
Non-Critical
PROOF OF CONCEPT
7 instances include:
src/FERC1155.sol
src/modules/Buyout.sol
src/modules/Migration.sol
TOOLS USED
Manual Analysis
MITIGATION
Define constant variables for the literal values aforementioned.
Events indexing
PROBLEM
Events should use the maximum amount of indexed fields: up to three parameters. This makes it easier to filter for specific values in front-ends.
SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
src/interfaces/IBuyout.sol
src/interfaces/IFERC1155.sol
src/interfaces/IVault.sol
src/interfaces/IVaultRegistry.sol
TOOLS USED
Manual Analysis
MITIGATION
Add indexed fields to these events so that they have the maximum number of indexed fields possible.
Event should be emitted in setters
PROBLEM
Setters should emit an event so that Dapps can detect important changes to storage
SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
src/FERC1155.sol
src/Vault.sol
TOOLS USED
Manual Analysis
MITIGATION
Emit an event in all setters.
Public functions can be external
PROBLEM
It is good practice to mark functions as
external
instead ofpublic
if they are not called by the contract where they are defined.SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
src/utils/MerkleBase.sol
TOOLS USED
Manual Analysis
MITIGATION
Declare these functions as
external
instead ofpublic
Redundant cast
PROBLEM
In
Migration.commit()
,buyout
is cast to typeaddress
, which is redundant as it is already of typeaddress
.src/modules/Migration.sol
SEVERITY
Non-Critical
TOOLS USED
Manual Analysis
MITIGATION
Scientific notation
PROBLEM
For readability, it is best to use scientific notation (e.g
10e5
) rather than decimal literals(100000
) or exponentiation(10**5
)SEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
src/modules/Buyout.sol
TOOLS USED
Manual Analysis
MITIGATION
Replace
1000
with10e3
Signature malleability
PROBLEM
permit
andpermitAll
inFERC1155
use Solidity'secrecover
to verify signatures. The EVM opcode associated with this function allows for malleable signatures and thus is susceptible to replay attacks. There is no direct threat to the protocol - these functions only approve operators - but it is still a good practice to avoid signature malleability.SEVERITY
Non-Critical
PROOF OF CONCEPT
2 instances:
src/FERC1155.sol
126: address signer = ecrecover(digest, _v, _r, _s);
171: address signer = ecrecover(digest, _v, _r, _s);
TOOLS USED
Manual Analysis
MITIGATION
Use OpenZeppelin's
ECDSA
's libraryTODOS
PROBLEM
There is an open TODO in
MerkleBase.sol
. It is merely a gas optimisation issue, but it should still be resolved before contract deploymentsSEVERITY
Non-Critical
PROOF OF CONCEPT
Instances include:
src/utils/MerkleBase.sol
TOOLS USED
Manual Analysis
MITIGATION
Remove the TODO comment
Visibility should be explicit
PROBLEM
Visibility of variables should be explicitly set.
SEVERITY
Non-Critical
PROOF OF CONCEPT
2 instances:
src/references/SupplyReference.sol
12: address immutable registry;
src/targets/Supply.sol
13: address immutable registry;
TOOLS USED
Manual Analysis
The text was updated successfully, but these errors were encountered: