Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #330

Open
code423n4 opened this issue Aug 6, 2022 · 0 comments
Open

QA Report #330

code423n4 opened this issue Aug 6, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax valid

Comments

@code423n4
Copy link
Contributor

L-01 : Change admin in 2 steps

Code:
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L157

`function  replaceAdmin(address _newAdmin)

external

override

onlyAdmin

nonZero(_newAdmin)

noChange(admin, _newAdmin)

{

// Replace admin

admin = _newAdmin;

  

emit  AdminReplaced(_newAdmin);

}

I recommend changing admin in 2 steps to prevent setting wrong address as admin.

Proof of Concept : Change to new address

function  replaceAdmin(address _newAdmin)

external

override

onlyAdmin

nonZero(_newAdmin)

noChange(admin, _newAdmin)

{

// Replace admin

NewAdmin = _newAdmin//@audit: NewAdmin is another state variable

  

emit  AdminReplaced(_newAdmin);

}

Claim new Address

function claimAdmin (address _admin) external

override

onlyAdmin

nonZero(_newAdmin)

noChange(admin, _newAdmin){
require(_newAdmin ==NewAdmin ); // @dev: Ensures we enter correct address we intend to make admin
admin = _newAdmin;
}

Similar action is recommended for changing Treasury in HomeFi.sol.

L-02: Admin can change fees to any arbitrary amount

Instance:
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L185

function  replaceLenderFee(uint256 _newLenderFee)

external

override

onlyAdmin

{

// Revert if no change in lender fee

require(lenderFee != _newLenderFee, "HomeFi::!Change");

  

// Reset variables

lenderFee = _newLenderFee;

  

emit  LenderFeeReplaced(_newLenderFee);

}

I recommend setting any limit to the fees that admin can set.
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Aug 6, 2022
code423n4 added a commit that referenced this issue Aug 6, 2022
@code423n4
supernova issue #330
5bd5f82
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @jack-the-pug