QA Report - Githubissues

code-423n4 / 2022-05-backd-findings

0 stars 0 forks source link

QA Report #123

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

1. Emitted event reports wrong value

In the function stakeFor() the event should report staked instead of amount

    function stakeFor(address account, uint256 amount) public virtual override returns (bool) {
        ........
        uint256 staked = newBal - oldBal;
        balances[account] += staked;
        totalStaked += staked;
        emit AmmStaked(account, ammToken, amount);
        // recommendation
        // emit AmmStaked(account, ammToken, staked);
    }

AmmGauge.sol#L66
Same for function unstakeFor() AmmGauge.sol#L136

2. Use Two-Step Transfer Pattern for Access Controls

It is possible that the role accidentally transfers ownership to the wrong address, resulting in a loss of the role.
For example : setMinter()

Recommendation:

address minter;
address temporaryMinter;

function setMinter(address owner_) external onlyGovernance {
  temporaryMinter = owner_;
}

function claimOwnership() external {
  require(msg.sender == temporaryMinter);
  minter = temporaryMinter;
  temporaryOwner = address(0);
}

GalloDaSballo commented 2 years ago

In the function stakeFor() the event should report staked instead of amount

Agree for AmmGauge.sol#L136 Great find!

2. Use Two-Step Transfer Pattern for Access Controls

Disagree personally but valid suggestion

Good format, I wish the warden had more findings