QA Report

[code423n4]

QA Report

Low

1. Lack of Zero Address Check

Proof of Concept

StrategyPUSDConvex.sol#L303-L307.

function withdrawJPEG(address _to) external onlyController {
    // claim from convex rewards pool
    convexConfig.baseRewardPool.getReward(address(this), true);
    jpeg.safeTransfer(_to, jpeg.balanceOf(address(this)));
}

Consider adding require(_to != address(0), "INVALID: 0"); to prevent accidental loss of funds.

2. Unsafe ERC20 Operations

Not consitently using safetransfers. Some cases of transfer and transferFrom without checking return value.

Proof of Concept

JPEGStaking.sol#L34, JPEGStaking.sol#L52, NFTVault.sol#L560, NFTVault.sol#L899.

Use safeTransfer and safeTransferFrom from OpenZeppelin's library.

3. Do not use Deprecated Library Functions

_setupRole function is deprecated in favor of _grantRole. https://docs.openzeppelin.com/contracts/4.x/api/access

Proof of Concept

JPEG.sol#L17, StableCoin.sol#L26, FungibleAssetVaultForDAO.sol#L75, NFTVault.sol#L153, Controller.sol#L26, StrategyPUSDConvex.sol#L152.

Non-Critical

1. Typo

NFTVault.sol#L129

/// @param _nftContract The NFT contrat address. It could also be the address of an helper contract

Change contrat to contract.