QA Report

[code423n4]

ISSUE LIST

C4-001 : Missing events for only functions that change critical parameters - Non Critical

C4-002 : Critical changes should use two-step procedure - Non Critical

C4-003 : Pragma Version - Non Critical

C4-004 : Missing zero-address check in the setter functions and initiliazers - Low

C4-005 : Typo On The Variable - Non Critical

C4-006 : Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom - Non critical

C4-007 : Deposit Token And Reward Token Should Not Be Same - LOW

ISSUES

C4-001 : Missing events for only functions that change critical parameters

Impact - Non critical

The afunctions that change critical parameters should emit events. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them and consider if they would like to engage/exit based on how they perceive the changes as affecting the trustworthiness of the protocol or profitability of the implemented financial services. The alternative of directly querying on-chain contract state for such changes is not considered practical for most users/usages.

Missing events and timelocks do not promote transparency and if such changes immediately affect users’ perception of fairness or trustworthiness, they could exit the protocol causing a reduction in liquidity which could negatively impact protocol TVL and reputation.

Proof of Concept

1. Navigate to the following contract.

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L314

See similar High-severity H03 finding OpenZeppelin’s Audit of Audius (https://blog.openzeppelin.com/audius-contracts-audit/#high) and Medium-severity M01 finding OpenZeppelin’s Audit of UMA Phase 4 (https://blog.openzeppelin.com/uma-audit-phase-4/)

Tools Used

None

Recommended Mitigation Steps

Add events to all functions that change critical parameters.

C4-002 : Critical changes should use two-step procedure

Impact - NON CRITICAL

The critical procedures should be two step process.

Proof of Concept

1. Navigate to the following contract.

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/VoterID.sol#L151

Tools Used

Code Review

Recommended Mitigation Steps

Lack of two-step procedure for critical operations leaves them error-prone. Consider adding two step procedure on the critical functions.

C4-003 : # Pragma Version

Impact

In the contracts, there are multiple version of pragmas are used. Some of them is used with 0.8.12 and some of them are 0.8.9. The contracts should be deployed with the consistent pragma.

Proof of Concept

https://swcregistry.io/docs/SWC-103

All Contracts

Tools Used

Manual code review

Recommended Mitigation Steps

Lock the pragma version: delete pragma solidity 0.8.10 in favor of pragma solidity 0.8.10.

C4-004 : # Missing zero-address check in the setter functions and initiliazers

Impact

Missing checks for zero-addresses may lead to infunctional protocol, if the variable addresses are updated incorrectly.

Proof of Concept

1. Navigate to the following contracts.

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L75

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/VoterID.sol#L108

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/MerkleIdentity.sol#L52

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/MerkleIdentity.sol#L60

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/MerkleIdentity.sol#L67

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/MerkleIdentity.sol#L75

Tools Used

Code Review

Recommended Mitigation Steps

Consider adding zero-address checks in the discussed constructors: require(newAddr != address(0));.

C4-005 : # Typo On The Variables

Impact

During the code review, It has been observed that parameters are mistakenly named as "ooner","sywol" instead of "owner" and "symbol".

Proof of Concept

1. Navigate to the following contracts.

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/VoterID.sol#L109

https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/VoterID.sol#L183

        _owner_ = ooner; //owner
        // we set it here with no resetting allowed so we cannot commit to NFTs and then reset
        _minter = minter;
        _name = nomen; //name
        _symbol = symbowl; //symbol

Tools Used

Code Review

Recommended Mitigation Steps

Consider to fix typos.

C4-006 : Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

Impact - NON-CRITICAL

Impact

It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.

Reference: This similar medium-severity finding from Consensys Diligence Audit of Fei Protocol: https://consensys.net/diligence/audits/2021/01/fei-protocol/#unchecked-return-value-for-iweth-transfer-call

Proof of Concept

1. Navigate to the following contract.

2. transfer/transferFrom functions are used instead of safe transfer/transferFrom on the following contracts.

 contracts/MerkleDropFactory.sol::77 => require(IERC20(merkleTree.tokenAddress).transferFrom(msg.sender, address(this), value), "ERC20 transfer failed");
  contracts/MerkleDropFactory.sol::107 => require(IERC20(tree.tokenAddress).transfer(destination, value), "ERC20 transfer failed");
  contracts/MerkleResistor.sol::121 => require(IERC20(merkleTree.tokenAddress).transferFrom(msg.sender, address(this), value), "ERC20 transfer failed");
  contracts/MerkleResistor.sol::204 => require(IERC20(tree.tokenAddress).transfer(destination, currentWithdrawal), 'Token transfer failed');
  contracts/MerkleVesting.sol::89 => require(IERC20(merkleTree.tokenAddress).transferFrom(msg.sender, address(this), value), "ERC20 transfer failed");
  contracts/MerkleVesting.sol::173 => IERC20(tree.tokenAddress).transfer(destination, currentWithdrawal);
  contracts/PermissionlessBasicPoolFactory.sol::144 => success = success && IERC20(pool.rewardTokens[i]).transferFrom(msg.sender, address(this), amount);
  contracts/PermissionlessBasicPoolFactory.sol::198 => bool success = IERC20(pool.depositToken).transferFrom(msg.sender, address(this), amount);
  contracts/PermissionlessBasicPoolFactory.sol::230 => success = success && IERC20(pool.rewardTokens[i]).transfer(receipt.owner, transferAmount);
  contracts/PermissionlessBasicPoolFactory.sol::233 => success = success && IERC20(pool.depositToken).transfer(receipt.owner, receipt.amountDepositedWei);
  contracts/PermissionlessBasicPoolFactory.sol::252 => success = success && IERC20(pool.rewardTokens[i]).transfer(pool.excessBeneficiary, rewards);
  contracts/PermissionlessBasicPoolFactory.sol::269 => success = success && IERC20(pool.rewardTokens[i]).transfer(globalBeneficiary, tax);

Tools Used

Code Review

Recommended Mitigation Steps

Consider using safeTransfer/safeTransferFrom or require() consistently.

C4-007 : Deposit Token And Reward Token Should Not Be Same

Impact - LOW

Impact

During the code review, It has been noticed that to the contract is missing some sanity checks in the addPool function. When adding pool, deposit and reward token can be same and that can create unfair situation on the contracts.

Proof of Concept

1. Navigate to the following contract.

2. The contract allows to be same on the deposit and reward tokens.

   https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L108

Tools Used

Code Review

Recommended Mitigation Steps

Do not allow reward tokens are same as deposit Token.

[illuzen]

all duplicates except last, which is invalid, we explicitly support simple staking (depositToken == rewardToken)

[gititGoro]

Very nicely documented. Bonus points awarded.