search

code-423n4 / 2022-05-aura-findings

0 stars 1 forks source link

QA Report #45

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Loss Of Precision

This issue is about arithmetic computation that could have been done more percise. The following are places in the codebase in which you multiplied after the divisions. Doing the multiplications at start lead to more accurate calculations. This is a list of places in the code that this appears (Solidity file, line number, actual line):

Code instances:

    AuraLocker.sol, 517, uint256 upcomingEpoch = block.timestamp.add(rewardsDuration).div(rewardsDuration).mul(rewardsDuration);
    AuraLocker.sol, 400, uint256 currentEpoch = block.timestamp.sub(_checkDelay).div(rewardsDuration).mul(rewardsDuration);
    AuraLocker.sol, 598, uint256 epoch = timestamp.div(rewardsDuration).mul(rewardsDuration);
    AuraLocker.sol, 419, uint256 currentEpoch = block.timestamp.sub(_checkDelay).div(rewardsDuration).mul(rewardsDuration);
    AuraLocker.sol, 482, uint256 upcomingEpoch = block.timestamp.add(rewardsDuration).div(rewardsDuration).mul(rewardsDuration);

Does not validate the input fee parameter

Some fee parameters of functions are not checked for invalid values. Validate the parameters:

Code instances:

    Booster.setFeeInfo (_feeDistro)
    Booster.updateFeeInfo (_feeToken)
    BoosterOwner.updateFeeInfo (_feeToken)
    BoosterOwner.setFeeManager (_feeM)
    ClaimFeesHelper.constructor (_feeDistro)

safeApprove of openZeppelin is deprecated

You use safeApprove of openZeppelin although it's deprecated. (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38) You should change it to increase/decrease Allowance as OpenZeppilin says.

Code instances:

    Deprecated safeApprove in AuraStakingProxy.sol line 147: IERC20(crv).safeApprove(crvDepositorWrapper, type(uint256).max);
    Deprecated safeApprove in AuraClaimZap.sol line 98: IERC20(crv).safeApprove(crvDepositWrapper, type(uint256).max);
    Deprecated safeApprove in AuraStakingProxy.sol line 150: IERC20(cvxCrv).safeApprove(rewards, type(uint256).max);
    Deprecated safeApprove in Booster.sol line 422: IERC20(token).safeApprove(rewardContract,_amount);
    Deprecated safeApprove in CrvDepositorWrapper.sol line 118: require(IERC20(BALANCER_POOL_TOKEN).approve(crvDeposit, type(uint256).max), "!approval");

Require with not comprehensive message

The following requires has a non comprehensive messages. This is very important to add a comprehensive message for any require. Such that the user has enough information to know the reason of failure:

Code instances:

    Solidity file: AuraStakingProxy.sol, In line 100 with Require message: !auth
    Solidity file: BalLiquidityProvider.sol, In line 89 with Require message: !auth
    Solidity file: PoolManagerV3.sol, In line 81 with Require message: !auth
    Solidity file: CrvDepositor.sol, In line 63 with Require message: !auth
    Solidity file: AuraLocker.sol, In line 260 with Require message: shutdown

Not verified input

external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    MockBalancerPoolToken.sol.mint to
    RewardFactory.sol.CreateTokenRewards _mainRewards
    cCrv.sol.mint _to
    RewardHook.sol.constructor _stash
    AuraVestedEscrow.sol.setAdmin _admin

Treasury may be address(0)

Make sure the treasury is not address(0).

Code instances:

    Booster.sol.setTreasury _treasury
    BoosterOwner.sol.setRescueTokenDistribution _treasury

Solidity compiler versions mismatch

The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.

Code instance:

Use safe math for solidity version <8

You should use safe math for solidity version <8 since there is no default over/under flow check it suchversions of solidity.

Code instances:

    The contract BaseRewardPool4626.sol doesn't use safe math and is of solidity version < 8
    The contract Interfaces.sol doesn't use safe math and is of solidity version < 8
    The contract BoosterOwner.sol doesn't use safe math and is of solidity version < 8
    The contract IProxyFactory.sol doesn't use safe math and is of solidity version < 8
    The contract IRewarder.sol doesn't use safe math and is of solidity version < 8

Not verified owner

    owner param should be validated to make sure the owner address is not address(0).
    Otherwise if not given the right input all only owner accessible functions will be unaccessible.

Code instances:

    Booster.sol.setOwner _owner
    BoosterOwner.sol.transferOwnership _owner
    PoolManagerSecondaryProxy.sol.setOwner _owner
    VoterProxy.sol.setOwner _owner
    PoolManagerProxy.sol.setOwner _owner

Named return issue

Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing. Furthermore, removing either the actual return or the named return will save gas.

Code instances:

    AuraLocker.sol, findEpochId
    AuraVestedEscrow.sol, _totalVestedOf
    AuraLocker.sol, balanceOf
    AuraLocker.sol, claimableRewards
    AuraLocker.sol, lockedBalances

Two Steps Verification before Transferring Ownership

The following contracts have a function that allows them an admin to change it to a different address. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked. It is important to have two steps admin change where the first is announcing a pending new admin and the new address should then claim its ownership. A similar issue was reported in a previous contest and was assigned a severity of medium: code-423n4/2021-06-realitycards-findings#105

Code instances:

    Booster.sol
    PoolManagerSecondaryProxy.sol
    CrvDepositor.sol
    AuraVestedEscrow.sol
    AuraStakingProxy.sol

Missing non reentrancy modifier

The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer. Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..

Code instances:

    AuraLocker.sol, setApprovals is missing a reentrancy modifier
    AuraLocker.sol, recoverERC20 is missing a reentrancy modifier
    BaseRewardPool4626.sol, constructor is missing a reentrancy modifier
    AuraLocker.sol, notifyRewardAmount is missing a reentrancy modifier

In the following public update functions no value is returned

In the following functions no value is returned, due to which by default value of return will be 0. We assumed that after the update you return the latest new value. (similar issue here: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/85).

Code instances:

    ConvexMasterChef.sol, massUpdatePools
    Booster.sol, updateFeeInfo
    BoosterOwner.sol, updateFeeInfo
    Aura.sol, updateOperator
    ConvexMasterChef.sol, updatePool

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    MockVoting.sol: function vote_user_slopes parameter gauge isn't used. (vote_user_slopes is external)
    MockFeeDistro.sol: function getTokenTimeCursor parameter token isn't used. (getTokenTimeCursor is external)
    VoterProxy.sol: function execute parameter _data isn't used. (execute is external)
    MockVoting.sol: function last_user_vote parameter gauge isn't used. (last_user_vote is external)
    MockCurveGauge.sol: function add_reward parameter _reward_token isn't used. (add_reward is external)

Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/2022-05-aura/tree/main/contracts/mocks/curve/MockCurveMinter.sol#L21
    https://github.com/code-423n4/2022-05-aura/tree/main/convex-platform/contracts/contracts/ConvexMasterChef.sol#L219
    https://github.com/code-423n4/2022-05-aura/tree/main/contracts/AuraMerkleDrop.sol#L153
    https://github.com/code-423n4/2022-05-aura/tree/main/convex-platform/contracts/contracts/Booster.sol#L606
    https://github.com/code-423n4/2022-05-aura/tree/main/contracts/AuraLocker.sol#L367

In the following public update functions no value is returned

In the following functions no value is returned, due to which by default value of return will be 0. We assumed that after the update you return the latest new value. (similar issue here: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/85).

Code instances:

    ConvexMasterChef.sol, massUpdatePools
    Booster.sol, updateFeeInfo
    BoosterOwner.sol, updateFeeInfo
    Aura.sol, updateOperator
    ConvexMasterChef.sol, updatePool

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    MockVoting.sol: function vote_user_slopes parameter gauge isn't used. (vote_user_slopes is external)
    MockFeeDistro.sol: function getTokenTimeCursor parameter token isn't used. (getTokenTimeCursor is external)
    VoterProxy.sol: function execute parameter _data isn't used. (execute is external)
    MockVoting.sol: function last_user_vote parameter gauge isn't used. (last_user_vote is external)
    MockCurveGauge.sol: function add_reward parameter _reward_token isn't used. (add_reward is external)

Add a timelock

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

Code instances:

    https://github.com/code-423n4/2022-05-aura/tree/main/contracts/AuraStakingProxy.sol#L146
    https://github.com/code-423n4/2022-05-aura/tree/main/convex-platform/contracts/contracts/BoosterOwner.sol#L211
    https://github.com/code-423n4/2022-05-aura/tree/main/contracts/AuraMerkleDrop.sol#L83
    https://github.com/code-423n4/2022-05-aura/tree/main/contracts/mocks/balancer/MockBalancerPoolToken.sol#L36
    https://github.com/code-423n4/2022-05-aura/tree/main/convex-platform/contracts/contracts/CrvDepositor.sol#L72
phijfry commented 2 years ago

Majority of these are duplicates.