Open code423n4 opened 2 years ago
Fixing multiplication precision: https://github.com/fei-protocol/tribe-turbo/pull/62
Ack others but not fix.
Unsafe Cast issue disputed, there is no casting in that function
Really dislike the formatting as it honestly shows this report is basically from automated software
There's the usual basic findings here, would rate 4 however because of formatting, presentation and ultimately because this feels like a soulless copy paste I'll downgrade to 3/10
Title: Missing fee parameter validation Severity: Low Risk
Some fee parameters of functions are not checked for invalid values. Validate the parameters:
Title: Require with empty message Severity: Low Risk
The following requires are with empty messages. This is very important to add a message for any require. Such that the user has enough information to know the reason of failure:
Title: Not verified input Severity: Low Risk
Title: Never used parameters Severity: Low Risk
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Title: Not verified owner Severity: Low Risk
Title: Missing non reentrancy modifier Severity: Low Risk
The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer. Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..
Title: Require with not comprehensive message Severity: Low Risk
The following requires has a non comprehensive messages. This is very important to add a comprehensive message for any require. Such that the user has enough information to know the reason of failure:
Title: safeApprove of openZeppelin is deprecated Severity: Low Risk
Deprecated safeApprove in TurboSafe.sol line 91: fei.safeApprove(address(feiTurboCToken), type(uint256).max);
Deprecated safeApprove in TurboGibber.sol line 54: fei.safeApprove(address(feiTurboCToken), type(uint256).max);
Deprecated safeApprove in TurboSafe.sol line 88: asset.safeApprove(address(assetTurboCToken), type(uint256).max);
Deprecated safeApprove in TurboSafe.sol line 193: fei.safeApprove(address(vault), feiAmount);
Title: Mult instead div in compares Severity: Low Risk
Title: Unsafe Cast Severity: Medium Risk
use openzeppilin's safeCast in:
Title: Must approve 0 first Severity: Low/Med Risk
Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.
approve without approving 0 first TurboSafe.sol, 193, fei.safeApprove(address(vault), feiAmount);
approve without approving 0 first TurboSafe.sol, 88, asset.safeApprove(address(assetTurboCToken), type(uint256).max);
approve without approving 0 first TurboSafe.sol, 91, fei.safeApprove(address(feiTurboCToken), type(uint256).max);
approve without approving 0 first TurboGibber.sol, 54, fei.safeApprove(address(feiTurboCToken), type(uint256).max);