Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #214

Open
code423n4 opened this issue Aug 15, 2022 · 0 comments
Open

QA Report #214

code423n4 opened this issue Aug 15, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

1. Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.

Instances:

contracts/VotingEscrow.sol:426:            token.transferFrom(msg.sender, address(this), _value),
contracts/VotingEscrow.sol:486:            token.transferFrom(msg.sender, address(this), _value),
contracts/VotingEscrow.sol:546:        require(token.transfer(msg.sender, value), "Transfer failed");
contracts/VotingEscrow.sol:657:        require(token.transfer(msg.sender, remainingAmount), "Transfer failed");
contracts/VotingEscrow.sol:676:        require(token.transfer(penaltyRecipient, amount), "Transfer failed");

Reference:

This similar medium-severity finding from Consensys Diligence Audit of Fei Protocol.

Recommended Mitigation Steps:

Consider using safeTransfer/safeTransferFrom or require() consistently.

2. USE OF FLOATING PRAGMA

Recommend using fixed solidity version

Instances

All contracts in scope contains floating pragma:
https://github.com/code-423n4/2022-08-fiatdao#files-in-scope

contracts/VotingEscrow.sol:2:pragma solidity ^0.8.3;
contracts/interfaces/IERC20.sol:2:pragma solidity ^0.8.3;
contracts/interfaces/IVotingEscrow.sol:2:pragma solidity ^0.8.3;
contracts/interfaces/IBlocklist.sol:2:pragma solidity ^0.8.3;
contracts/features/Blocklist.sol:2:pragma solidity ^0.8.3;
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Aug 15, 2022
code423n4 added a commit that referenced this issue Aug 15, 2022
@code423n4
Sm4rty issue #214
3c81ac7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@code423n4