Implementing audit fixes

mstable · Nov 26, 2020 · cbac3da · cbac3da
1 parent 50e7934
commit cbac3da
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 10 deletions.
diff --git a/contracts/masset/BasketManager.sol b/contracts/masset/BasketManager.sol
@@ -245,7 +245,10 @@ contract BasketManager is
             // call each integration to `checkBalance` and sum with the cache balance
             address integration = integrations[i];
             uint256 lending = IPlatformIntegration(integration).checkBalance(bAsset);
-            uint256 cache = IERC20(bAsset).balanceOf(integration);
+            uint256 cache = 0;
+            if (!b.isTransferFeeCharged) {
+                cache = IERC20(bAsset).balanceOf(integration);
+            }
             uint256 balance = lending.add(cache);
 
             uint256 oldVaultBalance = b.vaultBalance;

diff --git a/contracts/masset/Masset.sol b/contracts/masset/Masset.sol
@@ -306,7 +306,7 @@ contract Masset is
             uint256 relativeMaxCache = _maxCache.divRatioPrecisely(_bAssetRatio);
 
             console.log("_depositTokens: cacheBal: %s vs relativeMaxCache: %s", cacheBal, relativeMaxCache);
-            if(cacheBal >= relativeMaxCache){
+            if(cacheBal > relativeMaxCache){
                 uint256 delta = cacheBal.sub(relativeMaxCache.div(2));
                 IPlatformIntegration(_integrator).deposit(_bAsset, delta, false);
             }
@@ -755,8 +755,8 @@ contract Masset is
             else {
                 uint256 cacheBal = IERC20(args.bAsset).balanceOf(args.integrator);
                 // 3.1 - If balance b in cache, simply withdraw
-                if(cacheBal > amount.net) {
-                    console.log("_withdrawTokens: cacheBal > net - '%s' > '%s'", cacheBal, amount.net);
+                if(cacheBal >= amount.net) {
+                    console.log("_withdrawTokens: cacheBal >= net - '%s' > '%s'", cacheBal, amount.net);
                     IPlatformIntegration(args.integrator).withdrawRaw(args.recipient, args.bAsset, amount.net);
                 }
                 // 3.2 - Else reset the cache to X, or as far as possible
@@ -765,7 +765,7 @@ contract Masset is
                 else {
                     console.log("_withdrawTokens: cacheBal < net - '%s' < '%s'", cacheBal, amount.net);
                     uint256 relativeMidCache = args.maxCache.divRatioPrecisely(args.ratio).div(2);
-                    uint256 totalWithdrawal = StableMath.min(relativeMidCache.sub(cacheBal).add(amount.net), args.vaultBalance.sub(cacheBal));
+                    uint256 totalWithdrawal = StableMath.min(relativeMidCache.add(amount.net).sub(cacheBal), args.vaultBalance.sub(cacheBal));
 
                     console.log("_withdrawTokens: totalWithdrawal", totalWithdrawal);
                     IPlatformIntegration(args.integrator).withdraw(
@@ -955,6 +955,9 @@ contract Masset is
         returns (uint256 swapFeesGained, uint256 newSupply)
     {
         uint256 toMint = 0;
+        // Set the surplus variable to 1 to optimise for SSTORE costs.
+        // If setting to 0 here, it would save 5k per savings deposit, but cost 20k for the
+        // first surplus call (a SWAP or REDEEM).
         if(surplus > 1){
             toMint = surplus.sub(1);
             surplus = 1;

diff --git a/contracts/masset/platform-integrations/AaveIntegration.sol b/contracts/masset/platform-integrations/AaveIntegration.sol
@@ -109,7 +109,7 @@ contract AaveIntegration is InitializableAbstractIntegration {
     )
         internal
     {
-        require(_amount > 0, "Must withdraw something");
+        require(_totalAmount > 0, "Must withdraw something");
         // Get the Target token
         IAaveATokenV1 aToken = _getATokenFor(_bAsset);
 
@@ -152,6 +152,7 @@ contract AaveIntegration is InitializableAbstractIntegration {
         // Unnecessary only Masset/BM have write access
 
         require(_amount > 0, "Must withdraw something");
+        require(_receiver != address(0), "Must specify recipient");
 
         // Send redeemed bAsset to the receiver
         IERC20(_bAsset).safeTransfer(_receiver, _amount);

diff --git a/contracts/masset/platform-integrations/AaveV2Integration.sol b/contracts/masset/platform-integrations/AaveV2Integration.sol
@@ -110,7 +110,7 @@ contract AaveV2Integration is InitializableAbstractIntegration {
     )
         internal
     {
-        require(_amount > 0, "Must withdraw something");
+        require(_totalAmount > 0, "Must withdraw something");
 
         IAaveATokenV2 aToken = _getATokenFor(_bAsset);
 
@@ -145,6 +145,7 @@ contract AaveV2Integration is InitializableAbstractIntegration {
         // Unnecessary only Masset/BM have write access
 
         require(_amount > 0, "Must withdraw something");
+        require(_receiver != address(0), "Must specify recipient");
 
         // Send redeemed bAsset to the receiver
         IERC20(_bAsset).safeTransfer(_receiver, _amount);

diff --git a/contracts/masset/platform-integrations/CompoundIntegration.sol b/contracts/masset/platform-integrations/CompoundIntegration.sol
@@ -135,17 +135,17 @@ contract CompoundIntegration is InitializableAbstractIntegration {
     )
         internal
     {
-        require(_amount > 0, "Must withdraw something");
+        require(_totalAmount > 0, "Must withdraw something");
         require(_receiver != address(0), "Must specify recipient");
 
         // Get the Target token
         ICERC20 cToken = _getCTokenFor(_bAsset);
 
         // If redeeming 0 cTokens, just skip, else COMP will revert
         // Reason for skipping: to ensure that redeemMasset is always able to execute
-        uint256 cTokensToRedeem = _convertUnderlyingToCToken(cToken, _amount);
+        uint256 cTokensToRedeem = _convertUnderlyingToCToken(cToken, _totalAmount);
         if(cTokensToRedeem == 0) {
-            emit SkippedWithdrawal(_bAsset, _amount);
+            emit SkippedWithdrawal(_bAsset, _totalAmount);
             return;
         }
 
@@ -189,6 +189,7 @@ contract CompoundIntegration is InitializableAbstractIntegration {
         // Unnecessary only Masset/BM have write access
 
         require(_amount > 0, "Must withdraw something");
+        require(_receiver != address(0), "Must specify recipient");
 
         IERC20(_bAsset).safeTransfer(_receiver, _amount);
 

diff --git a/contracts/savings/SavingsManager.sol b/contracts/savings/SavingsManager.sol
@@ -180,6 +180,7 @@ contract SavingsManager is ISavingsManager, PausableModule {
      */
     function depositLiquidation(address _mAsset, uint256 _liquidated)
         external
+        whenNotPaused
         onlyLiquidator
         whenStreamsNotFrozen
     {
@@ -199,6 +200,7 @@ contract SavingsManager is ISavingsManager, PausableModule {
      */
     function collectAndStreamInterest(address _mAsset)
         external
+        whenNotPaused
         whenStreamsNotFrozen
     {
         ISavingsContract savingsContract = savingsContracts[_mAsset];