code423n4 commented 2 years ago

Lower max fee percentage

Currently fees can be set as high as 100%, may consider a lower max fee to reduce rug risk

src/modules/TurboClerk.sol:38:        require(newDefaultFeePercentage <= 1e18, "FEE_TOO_HIGH");
src/modules/TurboClerk.sol:72:        require(newFeePercentage <= 1e18, "FEE_TOO_HIGH");
src/modules/TurboClerk.sol:90:        require(newFeePercentage <= 1e18, "FEE_TOO_HIGH");

First TurboSafe is unusable

The id of first TurboSafe is 0 (id = safes.length - 1 = 1 - 1 = 0), which is invalid.

    require(getSafeId[safe] != 0, "INVALID_SAFE");

src/TurboMaster.sol:208:        require(getSafeId[safe] != 0, "INVALID_SAFE");
src/TurboMaster.sol:258:        require(getSafeId[safe] != 0, "INVALID_SAFE");
src/TurboMaster.sol:288:        require(getSafeId[safe] != 0, "INVALID_SAFE");

effective custom fee cannot be set to 0

It is impossible to set effective custom fee to becuase it is only used if customFeePercentageForSafe != 0 https://github.com/code-423n4/2022-02-tribe-turbo/blob/66f27fe51083f49f7935e3fe594ab2380b75dee8/src/modules/TurboClerk.sol#L111

        if (customFeePercentageForSafe != 0) return customFeePercentageForSafe;

Joeysantoro commented 2 years ago

First safe slot is filled by blank safe in Master construction. Acknowledging other issues

GalloDaSballo commented 2 years ago

Agree with sponsor safe0 has a different meaning and it's not supposed to be used.

Rest is not bad.

Because of the first finding, which is duplicate of #29 am bumping this to Medium severity

code-423n4 / 2022-02-tribe-turbo-findings

QA Report #64

Lower max fee percentage

First TurboSafe is unusable

effective custom fee cannot be set to 0