search

code-423n4 / 2022-05-cally-findings

2 stars 0 forks source link

QA Report #303

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

1. Missing zero address checks

Risk

Low

Impact

Contract Cally does not check for zero addresses which might lead to loss of funds, failed transactions and can break the protocol functionality.

Proof of Concept

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add zero address checks for listed parameters.

2. Missing events

Risk

Low

Impact

Contract Cally does not implement events for some critical functions. Lack of events makes it difficult for off-chain applications to monitor the protocol.

Proof of Concept

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add missing events to listed functions.

3. Missing validation for feeRate

Risk

Low

Impact

Function Cally.setFee is missing check for feeRate_ parameter that should not exceed acceptable by protocol percentage.

Proof of Concept

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add check for feeRate_ parameter.

4. Owner - critical address change

Risk

Low

Impact

Changing critical addresses such as ownership should be a two-step process where the first transaction (from the old/current address) registers the new address (i.e. grants ownership) and the second transaction (from the new address) replaces the old address with the new one. This gives an opportunity to recover from incorrect addresses mistakenly used in the first step. If not, contract functionality might become inaccessible.

Proof of Concept

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to implement two-step process for passing ownership.

5. Usage of boolean values

Risk

Non-Critical

Impact

Contract uses false boolean expression for require statements in multiple functions.

Proof of Concept

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to remove false expression and use alternative syntax such as:

require(!vault.isExercised, "Vault already exercised");

6. Incorrect error message

Risk

Non-Critical

Impact

Function Cally.createVault checks if dutchAuctionReserveStrike is smaller than specified strike option. Incorrect error message "Reserve strike too small" is returned in case of the error. It should be "Reserve strike too big".

require(dutchAuctionReserveStrike < strikeOptions[dutchAuctionStartingStrikeIndex], "Reserve strike too small");

Proof of Concept

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to change the error message to "Reserve strike too big".

outdoteth commented 2 years ago

this can be bumped to medium severity

  1. Missing validation for feeRate: https://github.com/code-423n4/2022-05-cally-findings/issues/48
HardlyDifficult commented 2 years ago

Per the C4 guidance "part of auditing is demonstrating proper theory of how an issue could be exploited" and that does not seem to be explored here as it was in the primary report.