QA Report

[code423n4]

Low Risk ...............................................................

1. The initialize function that initializes important contract state can be called by anyone. See:
   • GeneralVault.initialize() - https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/GeneralVault.sol#L61-L63
   • CollateralAdapter.initialize() - https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/CollateralAdapter.sol#L35-L37
   • YieldManager.initialize() - https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/YieldManager.sol#L60-L62

Impact

The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract.

Recommended Mitigation Steps

Use the constructor to initialize non-proxied contracts. For initializing proxy contracts deploy contracts using a factory contract that immediately calls initialize after deployment or make sure to call it immediately after deployment and verify the transaction succeeded.

---

2. Missing critical events and emits

YieldManager.setCurvePool() , YieldManager.registerAsset(), YieldManager.setExchangeToken(), LidoVault._withdrawFromYieldPool() and other withdraw functions

Tools Used

Manual review

Recommended Mitigation Steps

Add emit for the appropriate event for this function.

[HickupHH3]

Low: missing approve(0) NC: init frontrunning, event emission, zero address check