Closed naddison36 closed 1 month ago
Warnings | |
---|---|
:warning: | :eyes: This PR needs at least 2 reviewers |
Generated by :no_entry_sign: dangerJS against 8afcb1df5b29289ee59adb366506706797eabe5d
Attention: Patch coverage is 30.43478%
with 48 lines
in your changes missing coverage. Please review.
Project coverage is 61.86%. Comparing base (
c96032b
) to head (8afcb1d
).
Files | Patch % | Lines |
---|---|---|
...ts/contracts/strategies/LidoWithdrawalStrategy.sol | 30.43% | 48 Missing :warning: |
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Generated at commit: 84250d688f45901d2410281d411840680651b3a0
🚨 Report Summary
Severity Level Results Contracts Critical High Medium Low Note Total 3 3 0 18 42 66 Dependencies Critical High Medium Low Note Total 0 0 0 0 0 0
For more details view the full report in OpenZeppelin Code Inspector
Since https://github.com/OriginProtocol/origin-dollar/pull/2097 deployed 097 already and this PR seems to be update that, we need a different deployment file
@shahthepro yeah the diff on 097 deployment file is pretty terrible :) there is a clean 098 deployment file in master that is ok.
The strategy should interact with Lido Withdrawal Queue and should be able to redeem stETH.
claimWithdrawals
is callable by Strategist but not by Governor. Ideally I would expect Governor to be able to do everything that Strategist can do. However this is fine, since this is a one-off strategy and if needed the Governor can still call setStrategist()
and then this method in a single proposal.receive() payable
method that it hasselfdestruct
delegatecall
outside of proxying. If an implementation contract were to call delegatecall under attacker control, it could call selfdestruct the implementation contract, leading to calls through the proxy silently succeeding, even though they were failing.[x] No storage variable initialized at definition when contract used as a proxy implementation.
Remove this section if the code being reviewed is not a strategy.
There's no onERC721Receive
method on this contract. However, Lido contract doesn't call that method when minting. Those are called/checked only during transfers. This kinda works for us since the strategy won't receive any NFT that it didn't mint
[x] Correct usage of global & local variables. -> they might differentiate only by an underscore that can be overlooked (e.g. address vs _address).
Deployment seems to be split and moved to a different file on master, so leaving it out of this review
Everything seems about right. The contract depends on outstandingWithdrawals
for all withdrawal accounting.
Doesn't seem to be vulnerable to common attacks.
Code is simple and elegant. Doesn't seem to have any vulnerability
The strategy contract is interacting with Lido withdrawal queue to natively redeem stETH for ETH.
selfdestruct
delegatecall
outside of proxying. If an implementation contract were to call delegatecall under attacker control, it could call selfdestruct the implementation contract, leading to calls through the proxy silently succeeding, even though they were failing.depositAll
could be 0. But it is highly unlikely and I wouldn't fix itNo this is a pretty straight forward deploy.
outstandingWithdrawals
always matches the amount that is being in the Lido's withdrawal queue. And only the owner of the requests can claim them, meaning no one else aside from strategy contract can claim the items in the queue and potentially manipulate the outstandingWithdrawals
. outstandingWithdrawals
makes sure that checkBalance correctly represents the funds in the strategy. Any additional native redemptions or claims accurately update the outstandingWithdrawals
.Does this code do that? Yes
What could the impacts of code failure in this code be.
If someone would be able to influence the amount returned in checkBalance
. Or interfere with the Lido's withdrawal queue lifecycle.
What conditions could cause this code to fail if they were not true. If Lido's withdrawal queue wouldn't be permissioned. If code in our contract would read the balance of tokens instead of keeping its own accounting that is immune to unexpected transfers
Does this code successfully block all attacks. yes
Code is very clean and simple.
I mistakenly merged this PR to master
when I merged the soETH changes.
I'll create a new branch for post merge changes nicka/lido-withdraw-strategy2
.
Yeah I know. I've left some comments in the code, though those 2 comments that are actionable are really nitpicky. I don't think you need to do any changes.
Contract changes
LidoWithdrawalStrategy
contract to swap stETH or WETH using the Lido Withdrawa QueueDependencies
Security
If you made a contract change, make sure to complete the checklist below before merging it in master.
Refer to our documentation for more details about contract security best practices.
Contract change checklist: