Zer0dot
commented
2 years ago So this is largely valid, we have included the fixes to zero address checks in constructors in https://github.com/aave/lens-protocol/pull/80.
The rest is technically valid but we're not implementing any changes for them.
C4-001 : Use
_safeMint()instead of_mint()Impact - LOW
OpenZeppelin recommends the usage of
_safeMint()instead of_mint(). If the recipient is a contract,safeMint()checks whether they can handle ERC721 tokens.Proof of Concept
If the HUB provides an address that can't handle ERC721 tokens when calling
mintthe minted token might be lost. That would also result in the user not being able to redeem the token anymore.Tools Used
Code Review
Recommended Mitigation Steps
Use
_safeMint()whenever possible.C4-002 : Critical changes should use two-step procedure
Impact - LOW
Use a two-step process (new controllership proposition in one transaction and controllership acceptance in another). This function has no validations, even a simple check for zero-address is missing, and there is no validation of the new address being correct. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked because the swivel cannot be corrected and none of the other functions that require admin caller can be executed. A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105
for Ex : -Alice deploys a new version of the whitehack group address. When she invokes the whitehack group address setter to replace the address, she accidentally enters the wrong address. The new address now has access to the role immediately and is too late to revert
Proof of Concept
Tools Used
None
Recommended Mitigation Steps
Lack of two-step procedure for critical operations leaves them error-prone. Implement zero address check and Consider implementing a two step process where the owner nominates an account and the nominated account needs to call an acceptOwnership() function for the transfer of ownership to fully succeed. This ensures the nominated EOA account is a valid and active account.
C4-003 : Missing zero-address check in constructors and the setter functions
Impact - LOW
Missing checks for zero-addresses may lead to infunctional protocol, if the variable addresses are updated incorrectly. For instance, If HUB variable is added as a zero address minting functionality will be lost.
Proof of Concept
Tools Used
Code Review
Recommended Mitigation Steps
Consider adding zero-address checks in the discussed constructors: require(newAddr != address(0));.
C4-004 : Incompatibility With Rebasing/Deflationary/Inflationary tokens
Impact - LOW
The protocol do not appear to support rebasing/deflationary/inflationary tokens whose balance changes during transfers or over time. The necessary checks include at least verifying the amount of tokens transferred to contracts before and after the actual transfer to infer any fees/interest.
Proof of Concept
Tools Used
Manual Code Review
Recommended Mitigation Steps
C4-005 : Use of Block.timestamp
Impact - Non-Critical
Block timestamps have historically been used for a variety of applications, such as entropy for random numbers (see the Entropy Illusion for further details), locking funds for periods of time, and various state-changing conditional statements that are time-dependent. Miners have the ability to adjust timestamps slightly, which can prove to be dangerous if block timestamps are used incorrectly in smart contracts.
Proof of Concept
Tools Used
Manual Code Review
Recommended Mitigation Steps
Block timestamps should not be used for entropy or generating random numbers—i.e., they should not be the deciding factor (either directly or through some derivation) for winning a game or changing an important state.
Time-sensitive logic is sometimes required; e.g., for unlocking contracts (time-locking), completing an ICO after a few weeks, or enforcing expiry dates. It is sometimes recommended to use block.number and an average block time to estimate times; with a 10 second block time, 1 week equates to approximately, 60480 blocks. Thus, specifying a block number at which to change a contract state can be more secure, as miners are unable to easily manipulate the block number.
C4-006 : Missing Setter Function On The Client Variable
Impact - Non-Critical
Based on the context, client should be able to be updated after deployment. However, there is no function to update it.
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/aaf6c116345f3647e11a35010f28e3b90e7b4862/contracts/core/CollectNFT.sol#L51
Tools Used
Code Review
Recommended Mitigation Steps
Consider to define function for client variable.
C4-007 : # Front-runnable Initializers
Impact - Non-Critical
All contract initializers were missing access controls, allowing any user to initialize the contract. By front-running the contract deployers to initialize the contract, the incorrect parameters may be supplied, leaving the contract needing to be redeployed.
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/aaf6c116345f3647e11a35010f28e3b90e7b4862/contracts/core/CollectNFT.sol#L34
https://github.com/code-423n4/2022-02-aave-lens/blob/aaf6c116345f3647e11a35010f28e3b90e7b4862/contracts/core/FollowNFT.sol#L53
Tools Used
Code Review
Recommended Mitigation Steps
Consider to define function for client variable.
C4-008 : # Missing Re-entrancy Protection
Impact - Non-Critical
Re-entrancy is one of the largest and most significant security issue to consider when developing Smart Contracts. While the EVM cannot run multiple contracts at the same time, a contract calling a different contract pauses the calling contract's execution and memory state until the call returns, at which point execution proceeds normally. This pausing and re-starting can create a vulnerability known as "re-entrancy".
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/aaf6c116345f3647e11a35010f28e3b90e7b4862/contracts/core/modules/collect/LimitedFeeCollectModule.sol#L154
Tools Used
Code Review
Recommended Mitigation Steps
Consider Implement re-entrancy protection on the related functions.
C4-009 : # DoS With Block Gas Limit
Impact - Non-Critical
When smart contracts are deployed or functions inside them are called, the execution of these actions always requires a certain amount of gas, based of how much computation is needed to complete them. The Ethereum network specifies a block gas limit and the sum of all transactions included in a block can not exceed the threshold.
Programming patterns that are harmless in centralized applications can lead to Denial of Service conditions in smart contracts when the cost of executing a function exceeds the block gas limit. Modifying an array of unknown size, that increases in size over time, can lead to such a Denial of Service condition.
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/aaf6c116345f3647e11a35010f28e3b90e7b4862/contracts/core/LensHub.sol#L541
Tools Used
Code Review
Recommended Mitigation Steps
Caution is advised when you expect to have large arrays that grow over time. Actions that require looping across the entire data structure should be avoided.
If you absolutely must loop over an array of unknown size, then you should plan for it to potentially take multiple blocks, and therefore require multiple transactions.