search

code-423n4 / 2022-05-aura-findings

0 stars 1 forks source link

QA Report #348

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

[N] Contract file name does not follow coding conventions

Having a consistent naming style in the project leads to fewer errors.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L20

contract AuraToken is ERC20 {

The filename Aura.sol should be AuraToken.sol.

[N] Misleading comment

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L386-L389

// e.g. now = 16
// if contract is shutdown OR latest lock unlock time (e.g. 17) <= now - (1)
// e.g. 17 <= (16 + 1)
if (isShutdown || locks[length - 1].unlockTime <= expiryTime) {

At L387 now - (1) = 16 - 1 = 15. The comment is wrong.

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/Aura.sol#L108-L111

// e.g. (new) reduction = (500 - 100) * 2.5 + 700 = 1700;
// e.g. (new) reduction = (500 - 250) * 2.5 + 700 = 1325;
// e.g. (new) reduction = (500 - 400) * 2.5 + 700 = 950;
uint256 reduction = totalCliffs.sub(cliff).mul(5).div(2).add(700);

2.5

[L] Critical operations should emit events

Across the contracts, there are certain critical operations that change critical values that affect the users of the protocol.

It's a best practice for these setter functions to emit events to record these changes on-chain for off-chain monitors/tools/interfaces to register the updates and react if necessary.

Instances include:

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/cCrv.sol#L38-L41

function setOperator(address _operator) external {
    require(msg.sender == operator, "!auth");
    operator = _operator;
}

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L62-L65

function setFeeManager(address _feeManager) external {
    require(msg.sender == feeManager, "!auth");
    feeManager = _feeManager;
}

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L67-L70

function setDaoOperator(address _daoOperator) external {
    require(msg.sender == daoOperator, "!auth");
    daoOperator = _daoOperator;
}

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/CrvDepositor.sol#L72-L78

function setFees(uint256 _lockIncentive) external{
    require(msg.sender==feeManager, "!auth");

    if(_lockIncentive >= 0 && _lockIncentive <= 30){
        lockIncentive = _lockIncentive;
    }
}

[L] Precision loss due to div before mul

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/CrvDepositorWrapper.sol#L73

uint256 minOut = (((amount * 1e18) / bptOraclePrice) * minOutBps) / 10000;

Recommendation

Can be changed to:

uint256 minOut = (((amount * 1e18) * minOutBps) / bptOraclePrice) / 10000;