QA Report - Githubissues

code-423n4 / 2022-05-backd-findings

0 stars 0 forks source link

QA Report #171

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Low

IERC20.approve might revert for some token

Some token return void in approve and will revert if the IERC20 interface is used. Consider using OZ's safeApprove https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/VestedEscrow.sol#L25-L26

        IERC20(rewardToken_).approve(msg.sender, type(uint256).max);

Hardcoded WETH address

WETH address might change if deployed on L2 https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/FeeBurner.sol#L25-L26

    address private constant _WETH = address(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2); // WETH

GalloDaSballo commented 2 years ago

IERC20.approve might revert for some token

Finding is valid, although constructor would fail, would re-contextualize as "you forgot to use safeApprove here"

Hardcoded WETH address

Finding has merit as non-critical, as hardcoded is always cheap for gas