A QA sweep of Phuture's contracts shows that floating pragma statements are present in all of the protocol's contracts. While this issue opens up the possibility for version-specific vulnerabilities, this report marks it as low severity under the assumption that the team will eventually lock the compiler version before mainnet launch.
Another common occurence in Phuture's contracts is the lack of address(0) checks for certain functions which could lead to unintented consequences. For instance, if a new asset is added to the ChainlinkPriceOracle contract and initialised with an aggregator set to address(0), no data will be fetched.
Lastly, this report recommends enforcing restrictions on the vToken transfer functions to ensure that users are not able to make empty transactions. Additionally, a theoratical loss of users' funds could arise from not restricting transfers to address(0).
Findings
L.1 - SWC-103: Floating Pragma [LOW SEVERITY]
Location:
BaseIndex: Line 3
ChainlinkPriceOracle: Line 3
IndexLayout: Line 3
IndexLogic: Line 3
ManagedIndex: Line 3
ManagedIndexReweightingLogic: Line 3
PhutureIndex: Line 3
PhuturePriceOracle: Line 3
TopNMarketCapIndex: Line 3
TopNMarketCapReweightingLogic: Line 3
TrackedIndex: Line 3
TrackedIndexReweightingLogic: Line 3
UniswapV2PathPriceOracle: Line 3
UniswapV2PriceOracle: Line 3
Description:
It is recommended to lock pragma statement prior to deployment, as deploying with a floating pragma may lead to a wider window for version-specific vulnerabilities in the future.
L.2 - No zero address checks [LOW SEVERITY]
Location:
BaseIndex: Line 43
There are no checks in place to prevent minting to the zero address.
ChainlinkPriceOracle: Line 60
The addAsset function allows zero address to be passed in as the _assetAggregator address. Although this is a role-restricted function, there is a check in place to ensure _asset is not set to address zero - so it may be sensible to have a similar restriction for the aggregator.
IndexLogic: Lines 31
There are no checks in place to prevent minting to the zero address.
L.3 - Unprotected transfers [LOW SEVERITY]
Location:
vToken: Lines 70, 76
Both the transfer and transferAsset functions of vToken do not have checks in place to prevent empty transfers and transfers to the zero address.
Phuture Finance QA Report
Summary
A QA sweep of Phuture's contracts shows that floating pragma statements are present in all of the protocol's contracts. While this issue opens up the possibility for version-specific vulnerabilities, this report marks it as low severity under the assumption that the team will eventually lock the compiler version before mainnet launch.
Another common occurence in Phuture's contracts is the lack of address(0) checks for certain functions which could lead to unintented consequences. For instance, if a new asset is added to the
ChainlinkPriceOraclecontract and initialised with an aggregator set to address(0), no data will be fetched.Lastly, this report recommends enforcing restrictions on the vToken transfer functions to ensure that users are not able to make empty transactions. Additionally, a theoratical loss of users' funds could arise from not restricting transfers to address(0).
Findings
L.1 - SWC-103: Floating Pragma [LOW SEVERITY]
Location:
Description:
It is recommended to lock pragma statement prior to deployment, as deploying with a floating pragma may lead to a wider window for version-specific vulnerabilities in the future.
L.2 - No zero address checks [LOW SEVERITY]
Location:
There are no checks in place to prevent minting to the zero address.
The addAsset function allows zero address to be passed in as the
_assetAggregatoraddress. Although this is a role-restricted function, there is a check in place to ensure_assetis not set to address zero - so it may be sensible to have a similar restriction for the aggregator.There are no checks in place to prevent minting to the zero address.
L.3 - Unprotected transfers [LOW SEVERITY]
Location:
Both the
transferandtransferAssetfunctions of vToken do not have checks in place to prevent empty transfers and transfers to the zero address.