QA Report #409
Labels
bug
Something isn't working
old-submission-method
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
valid
1. 1-step ownership change (non-critical)
One step process offers no protection for the cases when ownership transfer is performed mistakenly or with any malicious intent.
Adding a modest complexity of an additional step and a delay is a low price to pay for having time to evaluate the change.
Proof of Concept
HomeFi sets a new admin immediately:
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L157-L168
HomeFi's admin:
HomeFiProxy calls for the proxyAdmin ownership transfer immediately:
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFiProxy.sol#L150-L157
Recommended Mitigation Steps
Consider utilizing two-step ownership transferring process (proposition and acceptance in separate actions) with a noticeable delay between the steps to enforce the transparency and stability of the system
2. Lender fee is uncapped
Consider checking for the validity of the new fee (1-1000):
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L185-L197
3. Comment is incomplete
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L164-L165
Recommended Mitigation Steps
Update the comment, for example:
// Emit event broadcasting new _hash. This way this hash needs not be stored in memory
4. Comment claims burn instead of mint
claimInterest() mints new
_wrappedToken
, not burns it:https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L849-L850
Recommended Mitigation Steps
Should be
mint
as the debt record is increased5. Typos in comments
To be
Revert
x2:https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L514-L520
To be
// As it needs to go though
:https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L454-L456
6. Incorrect function description
unApprove() description doesn't match the logic:
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/libraries/Tasks.sol#L153-L164
7. raiseDispute doesn't check for signatory validity
Whenever _signature isn't valid there is no revert, but zero
_signer
will be put to disputes structure:https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Disputes.sol#L84-L116
8. Project's changeOrder uses hard coded TaskAllocated constant
changeOrder() hard codes
1
asTaskAllocated
enumeration item:https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L422-L423
Recommended Mitigation Steps
Consider using the constant to improve readability and reduce operation error surface:
The text was updated successfully, but these errors were encountered: