Summary

We list 2 low-critical findings:

(Low) Deploy CNft as an upgradable contract by proxy
(Low) floating pragma

(Low) Deploy `CNft` as an upgradable contract by proxy

Impact

In CNftTest.ts, it deploys CNft without using a proxy contract. Use a proxy contract to deploy CNft for an upgradable contract, or it’s not necessary to use @openzeppelin/contracts-upgradeable.

Proof of Concept

CNft.sol uses ReentrancyGuardUpgradeable and OwnableUpgradeable: https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/CNft.sol#L16

Tools Used

vim

Recommended Mitigation Steps

Use proxy to deploy: https://docs.openzeppelin.com/upgrades-plugins/1.x/hardhat-upgrades Or there’s no need to use upgradable contracts ReentrancyGuardUpgradeable and OwnableUpgradeable, use ReentrancyGuard and Ownable instead.

(Low) floating pragma

Impact

Floating pragma may cause unexpected compilation time behaviour and introduce unintended bugs.

Proof of Concept

Oracles/CNftPriceOracle.sol
2:pragma solidity ^0.8.0;

Oracles/UniswapV2PriceOracle.sol
2:pragma solidity ^0.8.0;

CNft.sol
2:pragma solidity ^0.8.0;

Tools Used

vim

Recommended Mitigation Steps

Don't use ^, lock pragma to ensure compiler version. e.g. pragma solidity 0.8.0;

code-423n4 / 2022-05-bunker-findings

QA Report #82

Summary

(Low) Deploy `CNft` as an upgradable contract by proxy

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

(Low) floating pragma

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

code-423n4 / 2022-05-bunker-findings

QA Report #82

Summary

(Low) Deploy CNft as an upgradable contract by proxy

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

(Low) floating pragma

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

(Low) Deploy `CNft` as an upgradable contract by proxy