QA Report #456
Labels
bug
Something isn't working
edited-by-warden
grade-b
Submission merits a B grade
Q-31
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Low Severity
Should use two-step transfer process for
BorrowController.operator
Accidently transferring operator rights to an unowned address, will freeze the
allowList
in its then current state. Use a two step process as inDBR
.Incorrect combination of
Market.escrowImplementation
andMarket.callOnDepositCallback
can cause deposits to revertIf
callOnDepositCallback
is set to true, thenescrow.onDeposit()
will be called, but onlyINVEscrow
implements this function and if the implementation points to any other escrow, thendeposit
will revert.Market governance transfer should be two-step as only it can unpause borrows
Division before multiplication in
Market.getWithdrawalLimitInternal
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L360
Non-Critical
Missing events for state changes in
BorrowController.allow
andBorrowController.deny
DBR.addMinter
andDBR.removeMinter
can emit incorrect event in some casesaddMinter
can emitAddMinter
event even if the address is already a minter. Same forremoveMinter
, which emitsRemoveMinter
for an address, even if it wasn't a minter before.DBR.transferFrom
doesn't return useful error for insufficient allowanceIn case, allowance is less than the amount to transfer,
DBR.transferFrom
reverts due to underflow error. An end-user can not determine the reason without requiring substantial effort.https://github.com/code-423n4/2022-10-inverse/blob/main/src/DBR.sol#L194
Market.dola
can be marked asconstant
since it is not assigned to in the constructorThe text was updated successfully, but these errors were encountered: