Open code423n4 opened 2 years ago
Thank you very much for submitting the issues!
Using address(0) does not make sense
In terms of this issue, because minter mints tokens from thin air and we think this kind of event is quite standard. We are not going to make a cahnge.
Naming inconsistency at variables
This is very helpful and we will fix the variable name e.g. totalSupply
and some other arguments naming, e.g. _to
-> to
After a while we found out totalSupply_
was set because it has a totalSupply()
function, so we are not going to fix this.
Inconsistency of messages in require function
This is valid too.
Remove functionDelegateCall function from Address library
About this one we are not sure yet. Need to check. duplicate of #35
Use FiatToken: for the consistency
This issue is the same as #26 and it is fixed.
Final change can be viewed here.
Title
Using address(0) does not make sense
Vulnerability details
Impact
Using address(0) does not make sense for the event. It should use a more explicit address such as msg.sender. Developers cannot figure out where Transfer event is emitted from if it uses address(0).
Proof of Concept
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L148
Tools Used
Static code analysis
Recommended Mitigation steps
Use either msg.sender or address(this) depending on the specification of the contract.
Title
Inconsistent usage of whenNotPaused modifier
Vulnerability details
Impact
configureMinter function has whenNotPaused modifier while removeMinter function does not have whenNotPaused.
Inconsistent usage of whenNotPaused would cause unexpected behavior.
Proof of Concept
removeMinter function does not use whenNotPaused modifier https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L344-L348
Tools Used
Static code analysis
Recommended Mitigation steps
Add whenNotPaused modifier at removeMinter function to be consistent with other functions.
Title
Inconsistency of messages in require function
Vulnerability details
Impact
The require check has the prefix of FiatToken: or ERC20: at FiatTokenV1.sol. If require check is done under FiatTokenV1.sol, it should use one of them.
Proof of Concept
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L245-L246
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L273
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L309-L313
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L447
Tools Used
Static code analysis
Recommended Mitigation steps
Use FiatToken: for the consistency
Title
Naming inconsistency at variables
Vulnerability details
Impact
FiatTokenV1.sol does not have naming consistency on variables. It may confuse developers without standardized naming styles.
Proof of Concept
Function arguments
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L127
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L361
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L377
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v2/FiatTokenV2.sol#L623-L666
State variables
Only
totalSupply_
contains_
. Other state variables do not contain_
. https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L58Event
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v2/FiatTokenV2.sol#L70-L71
Tools Used
Static code analysis
Recommended Mitigation steps
Set the standards for variables naming styles. It seems that other function arguments do not have
_
in their prefixes, so removing_
looks consistent.https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L127
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L361
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L377
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v2/FiatTokenV2.sol#L623-L666
Of course, change remove
_
from their prefixes inside these functions as well.As for state variables, other state variables do not use
_
in their suffixes, so removing_
seems legit. https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L58Arguments used in the Event can follow the other patterns as well. https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v2/FiatTokenV2.sol#L70-L71
Title
Is minters variable needed?
Vulnerability details
Impact
It looks like the role of
minters
andminterAllowed
looks similar, and it may be able to combine them into one. Using extra state variables will increase gas usage.Proof of Concept
State variable definitions
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L59-L60
Relevant functions
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L333-L334
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L344-L353
When removing minter role from account, it sets 0 at
minterAllowed
variable.minterAllowed[minter] = 0
So technicallyminters
variable seems not needed, and withoutminters
it can maintain the same logic. By removingminters
variable, it can save followings:minters
state variableminters
variables inconfigureMinter
functionminters
variable inremoveMinter
functionTools Used
manual check
Recommended Mitigation steps
minters
state variablesminterAllowed
state variables whereminters
was previously used Specifically following codes need to be changed: https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L116 https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L176Title
The original file should follow the recommended order of functions
Vulnerability details
Impact
Solidity defines the style guide for the order of functions. https://docs.soliditylang.org/en/v0.8.12/style-guide.html?highlight=coding%20style#order-of-functions
it is not efficient to reorder codes of libraries such as OpenZeppelin, but at least FiatTokenV1.sol can follow the style guide.
Following the style guide of solidity increases the readability.
Proof of Concept
https://docs.soliditylang.org/en/v0.8.12/style-guide.html?highlight=coding%20style#order-of-functions
Tools Used
Static code analysis
Recommended Mitigation steps
Follow the style guide of solidity
Title
Remove functionDelegateCall function from Address library
Vulnerability details
As for the usage of delegatecall at the logic contract, OpenZeppalin manual explains as follows.
Because of this reason, OpenZeppelin's upgradeable version (AddressUpgradeable.sol) does not include
functionDelegateCall
function.Impact
Proof of Concept
Address.sol#L169-L188 contains functionDelegateCall function which should not be included at the logic contract.
Tools Used
Static analysis
Recommended Mitigation steps
Either remove functionDelegateCall function from Address.sol or use AddressUpgradeable.sol instead of Address.sol.