V-Staykov
commented
2 years ago I am disputing not the whole thing, which has many good finds, but just the following:
Missing non reentrancy modifier - this is not needed, since the functions are not prone to reentrancy attacks. Adding reentrancy modifier would make them only more expensive gas-wise.
In the following public update functions no value is returned - this function does not have a return at all, so it shouldn't be expected. The issue that was linked does talk about a function that was set to return uint256, but was returning only it's default value, which is indeed a problem. This is not a concern in our case.
Never used parameters - this contract is out of scope.
Must approve 0 first - this contract is out of scope
Does not validate the input fee parameter
Some fee parameters of functions are not checked for invalid values. Validate the parameters:
Code instance:
safeApprove of openZeppelin is deprecated
You use safeApprove of openZeppelin although it's deprecated. (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38) You should change it to increase/decrease Allowance as OpenZeppilin says.
Code instance:
Not verified input
external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.
Code instances:
Solidity compiler versions mismatch
The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.
Code instance:
Use safe math for solidity version <8
You should use safe math for solidity version <8 since there is no default over/under flow check it suchversions of solidity.
Code instances:
Missing non reentrancy modifier
The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer. Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..
Code instances:
In the following public update functions no value is returned
In the following functions no value is returned, due to which by default value of return will be 0. We assumed that after the update you return the latest new value. (similar issue here: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/85).
Code instance:
Never used parameters
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
Check transfer receiver is not 0 to avoid burned money
Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.
Code instances:
In the following public update functions no value is returned
In the following functions no value is returned, due to which by default value of return will be 0. We assumed that after the update you return the latest new value. (similar issue here: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/85).
Code instance:
Never used parameters
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
Must approve 0 first
Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.
Code instance:
approve without approving 0 first TestUniswapLiquidity.sol, 29, IUniswapV2Pair(pair).approve(router, 2**256 - 1);
Two arrays length mismatch
The functions below fail to perform input validation on arrays to verify the lengths match. A mismatch could lead to an exception or undefined behavior. Consider making this a medium risk please.
Code instances
Tokens with fee on transfer are not supported
There are ERC20 tokens that charge fee for every transfer() / transferFrom().
Vault.sol#addValue() assumes that the received amount is the same as the transfer amount, and uses it to calculate attributions, balance amounts, etc. But, the actual transferred amount can be lower for those tokens. Therefore it's recommended to use the balance change before and after the transfer instead of the amount. This way you also support the tokens with transfer fee - that are popular.
Code instance:
approve return value is ignored
Some tokens don't correctly implement the EIP20 standard and their approve function returns void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert. Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the mentioned contracts as they revert the transaction because of the missing return value. We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handle the return value check as well as non-standard-compliant tokens. The list of occurrences in format (solidity file, line number, actual line)
Code instance:
TestUniswapLiquidity.sol, 29, IUniswapV2Pair(pair).approve(router, 2**256 - 1);
transfer return value of a general ERC20 is ignored
Need to use safeTransfer instead of transfer. As there are popular tokens, such as USDT that transfer/trasnferFrom method doesn’t return anything. The transfer return value has to be checked (as there are some other tokens that returns false instead revert), that means you must
Code instances: