QA Report

[code423n4]

1. The Natspec in LibAsset for transferERC20 says, on L76

   Address to send ether to This should read something like "Address to send token to"

2. Possible to leave funds in contract The general flows indicate that funds supposed to be moved into and out of these contracts in a single tx. However, in addition to the general possibility that someone sends some ERC20 to this contract, swap allows for a poorly constructed swap to transfer in more tokens than are used in the swap.

3. Possible to trade with funds others have left in the contracts Given I can pass in any calldata to swap, I could trade with whatever tokens are in the contract at the time of me tx: it does not have to be fromAssetId and toAssetId.

4. Given all of the above, AssetSwapped event log could end up being very misleading. I could trade with more than fromAmount and thus throw off the toAmount/toAmount ratio.

[H3xept]

2. / 3. / 4. Fixed in lifinance/lifi-contracts@4d66e5ad5f9a897d9f8a66eb7a4e765e0b6ff97c