QA Report

[code423n4]

Non critical

Lack of events

The method ConcurRewardPool.pushReward should emit an event in order to be detectable by the _recipient.

Non exploitable reentrancy

The method ConcurRewardPool.claimRewards allow the reentrancy, it seems that it's not vulnerable but it should be protected in order to be resilient.

Low

Contract management risks

The following contracts are Ownable and Pausable, so the owner could resign while the contract is paused, causing a Denial of Service. Owner resignation while paused should be avoided:

• ConvexStakingWrapper
• StakingRewards

contracts\ConvexStakingWrapper.sol

1. It was found some transfer, approve or transferFrom without checking the boolean result, ERC20 standard specify that the token can return false if this call was not made, so it's mandatory to check the result of these methods.

As following you can see the affected locations:

• ConvexStakingWrapper.sol#L179
• ConvexStakingWrapper.sol#L182

2. There are a lack of checks in the method requestWithdraw that allow to create a request for _amount=0 it should be denied in order to avoid possible errors.

[GalloDaSballo]

Events -> Informational

Reentrancy -> Valid (no POC so low)

Contract management risks Withdrawal are not paused so technically it should be fine, but interesting finding

Lack of check Valid

0 check in requestWithdraw Personally don't think it would make any differnce

[GalloDaSballo]

2+++