Open code423n4 opened 2 years ago
Re pragmas -- We internally decided to change the compiler pragmas after the audit period ends.
Fixed in previous commit.
Fixed in previous commit.
Fixed in lifinance/lifi-contracts@274a41b047b3863d9ae232eefea04896dc32d853 Duplicate of #14
Fixed in previous commit.
2022-03-Li.finance
1 Lock pragmas to specific compiler version. Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
https://github.com/code-423n4/2022-03-Li.finance/blob/main/src/LiFiDiamond.sol#L2 Other files too.
pragma solidity 0.8.7;
2 delete deprecated import statement.
https://github.com/code-423n4/2022-03-Li.finance/blob/main/src/Facets/AnyswapFacet.sol#L6 https://github.com/code-423n4/2022-03-Li.finance/blob/main/src/Facets/AnyswapFacet.sol#L9
Delete one of them.
3 missing input validations in initHop.
The length of_tokens and _bridgeConfigs must be checked and they have the same length to avoid errors.
https://github.com/code-423n4/2022-03-Li.finance/blob/main/src/Facets/HopFacet.sol#L40-L52
require(_tokens.length == _bridgeConfigs.length, “ERROR MESSAGE”);
4 use call instead of transfer.
According to consensys, .transfer() and .send() forward exactly 2,300 gas to the recipient. The goal of this hardcoded gas stipend was to prevent reentrancy vulnerabilities, but this only makes sense under the assumption that gas costs are constant. Recently EIP 1884 was included in the Istanbul hard fork. One of the changes included in EIP 1884 is an increase to the gas cost of the SLOAD operation, causing a contract's fallback function to cost more than 2300 gas. It's recommended to stop using .transfer() and .send() and instead use .call(). https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/WithdrawFacet.sol#L31
(bool success, ) = sendTo.call{value: _amount}(“”); require(success, “Transfer failed”);
5 import IERC20 from openzeppelin and delete unused import statement.
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/AnyswapFacet.sol#L7
import { LibAsset } from "../Libraries/LibAsset.sol"; import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
Delete IERC20 in the following line.
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/CBridgeFacet.sol#L4 https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/GenericSwapFacet.sol#L5 https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/HopFacet.sol#L6 https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/NXTPFacet.sol#L6 https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/WithdrawFacet.sol#L4
6 call appStorage same in different facets. In the following lines, you define the appStorage and each variable name has a different name. Of course, it is ok, but how about setting these variable same names to avoid confusion and make readability better.
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/DexManagerFacet.sol#L13 https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/Swapper.sol#L10
For example, we call these variables both
LibStorage internal s;