GalloDaSballo Apollon-Review issues

GalloDaSballo / Apollon-Review

Notes for the Apollon Solo Security Review

0 stars 0 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

`updateSystemSnapshots_excludeCollRemainder` lacks access control

#78 GalloDaSballo opened 3 months ago
1
`RedemptionOperations` Redemptions should be disabled during Recovery Mode

#77 GalloDaSballo opened 3 months ago
1
`LiquidationsOperations` Comment around `_emitLiquidationSummaryEvent` is incorrect

#76 GalloDaSballo opened 3 months ago
1
`_exchangeRate` value validation looks incorrect

#75 GalloDaSballo opened 3 months ago
0
`LiquidationOperations` loop should `break` on last Trove

#74 GalloDaSballo opened 3 months ago
1
`RedemptionOperations` allows redemption against stale prices

#73 GalloDaSballo opened 3 months ago
0
`massUpdatePools` needs to be capped due to OOG reverts

#72 GalloDaSballo opened 3 months ago
1
`StakingOperation` will drip rewards to no-one if rewards are queued before any deposit

#71 GalloDaSballo opened 3 months ago
0
`SwapERC20` Hardcoded DOMAIN_SEPARATOR will cause issues and replay on a chain split

#70 GalloDaSballo opened 3 months ago
1
Riskiest Trove can be made to pay compound interest cheaply

#69 GalloDaSballo opened 3 months ago
1
Redemptions that redeem close to 100% of the Trove Debt may revert when the hint is inaccurate

#68 GalloDaSballo opened 3 months ago
1
Redemptions allow to have Troves that have collaterals mostly in debtTokens

#67 GalloDaSballo closed 2 months ago
1
`LiquidationOperations.batchLiquidateTroves` redistributes bad debt and collateral after all operations, meaning it will allow skipping bad debt redistribution during liquidations

#66 GalloDaSballo opened 3 months ago
0
Liquidation Logic will not work on all troves when the system is underwater

#65 GalloDaSballo opened 3 months ago
1
Decay Coefficient could round down and have an effective slower decay

#64 GalloDaSballo opened 3 months ago
1
`TroveManager``_calcBorrowingRate` always returns `borrowingFeeFloor`

#63 GalloDaSballo opened 3 months ago
1
Up to (1e18 - 1) loss in interest paid due to rounding down

#62 GalloDaSballo opened 3 months ago
2
Bad Debt Redistribution can be avoided by removing collaterals

#61 GalloDaSballo opened 3 months ago
0
Stablecoin interest being lower than jTokens seems inconsistent + Tokens with different volatilities pay the same fee

#60 GalloDaSballo opened 3 months ago
0
`SwapOperation` First LP pays no fee and can set the price to an incorrect value, causing losses to traders, and higher fees

#59 GalloDaSballo opened 3 months ago
0
`SwapOperations` Swap Fees may add up to more than 100%

#58 GalloDaSballo opened 3 months ago
1
`claimUnassigned` may result in a slight difference between debt and coll percentages being claimed due to rounding errors

#57 GalloDaSballo opened 3 months ago
1
`claimUnassignedAsset` `_percentage` can be more than 1e18

#56 GalloDaSballo opened 3 months ago
1
`claimUnassignedAssets` is increasing debt but not checking for it in `_finaliseTrove`, opening up for self-liquidations

#55 GalloDaSballo opened 3 months ago
1
`BorrowerOperations.increaseDebt` check for debt used as collateral is done on pre-condition and not on post-condition meaning it can be bypassed

#54 GalloDaSballo closed 3 months ago
1
Gas: Refactor code to not pass parameters that are unused

#53 GalloDaSballo closed 2 months ago
1
Ticking Interest Rate opens up to multi-block MEV - Directly Triggering Recovery Mode on the next block due to interest ticking

#52 GalloDaSballo opened 3 months ago
0
`BorrowerOperations` Inconsistent IMCR logic could allow risky collaterals to have a higher CollerateralRatio during Recovery Mode

#51 GalloDaSballo opened 3 months ago
1
WIP - `BorrowerOperations` Debt and Coll parameters are not checked for uniqueness - Mint Fee Bypass

#50 GalloDaSballo closed 3 months ago
0
Lack of min borrow + min fee allows Spam Opening troves to trigger Recovery Mode

#49 GalloDaSballo opened 3 months ago
0
`BorrowerOperations` alters user debt but enforces prices are not stale only for debts that are being actively altered

#48 GalloDaSballo opened 3 months ago
0
Basic Style Guide advice

#47 GalloDaSballo opened 3 months ago
2
`_getCurrentPythResponse` can benefit by having more validation

#46 GalloDaSballo opened 3 months ago
0
Users could opt to never use Pyth and always rely on the fallback feed due to lack of validation on certain functions

#45 GalloDaSballo opened 3 months ago
0
WIP - Invariants

#44 GalloDaSballo opened 3 months ago
0
`RedeptionOperations.checkValidRedemptionHint` check should use `>=`

#43 GalloDaSballo opened 3 months ago
1
`enableLiquidationAndRedeeming` pauses liquidations which can be problematic

#42 GalloDaSballo opened 3 months ago
1
`CollSurplusPool.claimColl` doesn't respect `CEI` and could be drained if a reward token has hooks

#41 GalloDaSballo closed 2 months ago
1
`SwapPair.getSwapFee` charges for crossing the middle price

#40 GalloDaSballo opened 3 months ago
0
TODO `SwapOperation.addLiquidity` can be manipulated to force a user to take on an unitended ratio of debts via donation to reserves

#39 GalloDaSballo closed 3 months ago
0
`StakingOperations` Token Transfer is updating the total supply before accruing rewards to users causing loss of rewards

#38 GalloDaSballo opened 3 months ago
1
`StakingOperations.claim` doesn't update reward debt, allowing multiple claims

#37 GalloDaSballo opened 3 months ago
1
Not using `safeTransfer` and `safeTransferFrom` can cause issues

#36 GalloDaSballo closed 2 months ago
1
Incompatibility with tokens that charge a fee on transfer

#35 GalloDaSballo opened 3 months ago
0
Analysis - Some thoughts, consideration and advice for next steps

#34 GalloDaSballo opened 3 months ago
0
`SwapOperations` `swapFee` is non deterministic and can cause people to lose funds

#33 GalloDaSballo opened 3 months ago
2
`SwapOperations.addLiquidity` is not validating desired and min amounts

#32 GalloDaSballo opened 3 months ago
1
`SwapOperations` computes the swap fees without accounting for how fees will alter reserves

#31 GalloDaSballo opened 3 months ago
0
`SwapOperations` is performing some swaps without updating the price, resulting in incorrect fees being charged

#30 GalloDaSballo opened 3 months ago
1
`ERC20.Permit` can be front-runned and should be try/catched

#29 GalloDaSballo opened 3 months ago
1