QA Report #374
Labels
bug
Something isn't working
edited-by-warden
high quality report
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Executive Summary
The idea of Modules and Policies is brilliant!
Most of the codebase is well written and well thought out, the one exception to me was Governance which I don't believe will withstand an adversarial environment.
Minor Code smells are listed below rated via the following standard
Legend:
L - Burning
VOTES
from Governance will break accountingWhile burning
VOTES
from theGovernance
contract is questionable, the code has no check to prevent that.https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/modules/VOTES.sol#L38-L42
Because
Governance
andVOTES.transferFrom
relies on a "use -> refund" pattern, losing even 1 wei of token will causereclaimVotes
to revert, effectively denying a user from being able to vote again.Voting can be denied by simply burning their
VOTES
hence why I set the severity to Low as this is a Ban with extra steps as thevoter_admin
can just burn the votes from the userL - Allow others to repay the debt
repayLoan
allows only the caller to repay their own debt, this can create situations in which insolvency or a smart contract bug prevent from making the TRSRY whole.A straightforward solution would be to allow anyone to repay the loan on behalf of a specific address
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/modules/TRSRY.sol#L103-L110
By allowing other addresses a softer approach to repaying debt can be achieved.
This avoids having to manually reset the debt.
L -
_activatePolicy
is non CEI conformantThe function
_activatePolicy
will perform an external call topolicy_.configureDependencies()
and then it will change storage.https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/Kernel.sol#L298-L315
I wasn't able to find any exploit as the function is privileged
R -
get
for a state changing functiongetXyz
is typically used for retrieving values from view functions, however in the case ofTRSRY
the function is used to receive a loan.Because the codebase already uses
get
for view functions, I'd recommend renaming the function below toreceiveLoan
or justloan
to keep the coding conventionhttps://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/modules/TRSRY.sol#L92-L93
R - Can check contract existence without assembly
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/utils/KernelUtils.sol#L31-L37
Can be changed to
target_.code.length
Lack of Address(0) Zero-Checks
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/Kernel.sol#L66-L67
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/Kernel.sol#L77-L78
NC - Lack of event for setters
Throughout the codebase, most setters emit events, however
setActiveStatus
doesn'thttps://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/Kernel.sol#L127-L128
isActive = activate_;
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/Kernel.sol#L77-L78
NC - Events not emitted in constructor
While setters emit events, the constructor doesn't, this may cause issues with tracking, e.g. theGraph as an event is for the initial setting is not emitted
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/Kernel.sol#L217-L220
NC - Gibberish action will still emit an event
You may instead want to emit only when a valid action is executed
Or add a comment to the function mentioning that
As it stands the code will emit even if the action data is not recognized
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/Kernel.sol#L259-L260
The text was updated successfully, but these errors were encountered: