Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #456

Open
code423n4 opened this issue Oct 30, 2022 · 1 comment
Open

QA Report #456

code423n4 opened this issue Oct 30, 2022 · 1 comment
Labels
bug Something isn't working edited-by-warden grade-b Submission merits a B grade Q-31 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

code423n4 commented Oct 30, 2022
edited

Low Severity

Should use two-step transfer process for BorrowController.operator

Accidently transferring operator rights to an unowned address, will freeze the allowList in its then current state. Use a two step process as in DBR.

Incorrect combination of Market.escrowImplementation and Market.callOnDepositCallback can cause deposits to revert

If callOnDepositCallback is set to true, then escrow.onDeposit() will be called, but only INVEscrow implements this function and if the implementation points to any other escrow, then deposit will revert.

Market governance transfer should be two-step as only it can unpause borrows

Division before multiplication in Market.getWithdrawalLimitInternal

https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L360

Non-Critical

Missing events for state changes in BorrowController.allow and BorrowController.deny

DBR.addMinter and DBR.removeMinter can emit incorrect event in some cases

addMinter can emit AddMinter event even if the address is already a minter. Same for removeMinter, which emits RemoveMinter for an address, even if it wasn't a minter before.

DBR.transferFrom doesn't return useful error for insufficient allowance

In case, allowance is less than the amount to transfer, DBR.transferFrom reverts due to underflow error. An end-user can not determine the reason without requiring substantial effort.
https://github.com/code-423n4/2022-10-inverse/blob/main/src/DBR.sol#L194

Market.dola can be marked as constant since it is not assigned to in the constructor
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Oct 30, 2022
code423n4 added a commit that referenced this issue Oct 30, 2022
@code423n4
enckrish issue #456
c25d4f1
code423n4 added a commit that referenced this issue Oct 30, 2022
@code423n4
enckrish data for issue #456
b1e1727
code423n4 added a commit that referenced this issue Oct 30, 2022
@code423n4
Report for issue #456 updated by enckrish
86ac4a5
@c4-judge c4-judge mentioned this issue Nov 5, 2022
Closed
@c4-judge
Copy link
Contributor

c4-judge commented Nov 7, 2022

0xean marked the issue as grade-b

@c4-judge c4-judge added the grade-b Submission merits a B grade label Nov 7, 2022
@C4-Staff C4-Staff added the Q-31 label Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working edited-by-warden grade-b Submission merits a B grade Q-31 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@code423n4 @c4-judge @C4-Staff