search

code-423n4 / 2022-05-rubicon-findings

5 stars 2 forks source link

QA Report #391

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

[L-01] Front-runnable initializer

The initialize() function lacks access control, allowing any malicious user to initialize the contract. This will require a redeploy of the contract if successful.

https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L181-L185

[L-02] Improper ownership transfer pattern

The BathToken.setBathHouse() function is used to change the bath house contract that is allowed to call the bath token contract's bath house-specific functions. The function lacks a proper ownership transfer pattern. It is recommended to make this a two-step process to ensure that the new bath house is truly the desired address. The first function called will set the pending contract and a second function must be called by the pending contract to accept the transfer.

https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L250-L252

[N-01] Unnecessary First Parentheses

Given the use of SafeMath, the first parentheses are unnecessary in this arithmetic.

https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L597

[N-02] Duplicate import statements

The same contract is imported twice.

https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathHouse.sol#L12-L13