Open code423n4 opened 2 years ago
Valid Refactor
Valid Refactor
NC
I must disagree in lack of further details over this refactoring, removing protectedTokens
is a rug vector
For this event, valid NC
Valid R (reverts on failure)
Valid R
Valid NC for this codebase
Valid Low (may bump based on other findings)
Valid Low
Valid Low (may bump based on other findings)
Good report, short and sweet, would benefit by having better formatted headlines (the dotted list looks odd as you can see above)
3L 4R 3NC
TODO - Raise:
The protocol does not support fee on transfer and other weird tokens, e.g.: - > M-25
New Score: 2L 4R 3NC
No need to use SafeMath with Solidity version >0.8:
Now it basically performs safe math operations twice, thus wasting gas.
contract VoterProxy does not explicitly implement IStaker interface. It causes some confusion, e.g. the declaration of interface and implementation contracts differ:
The interface does not declare the return value, while the implementation returns a boolean indicating success. Better always explicitly implement an interface to force compile-time enforcements.
setOwner could be a 2-step (propose-accept) process to avoid accidental errors.
In VoterProxy when an operator deposits a new token, it is added to the list of protectedTokens. This token is never set back to false again. Consider setting protectedTokens to false in operator withdrawal functions (withdraw, withdrawAll) when the balance after becomes 0. Then tokens might be reclaimed if the operator has withdrawn all of them, and later someone accidentally sends them directly to the contract or something like that.
You can make event parameters 'indexed' to allow for filtering, e.g. hash in VoteSet:
function voteGaugeWeight could validate that the lengths of
_tokenVote
and_weight
are equal.You can use built-in time keywords, e.g. here:
safeApprove is deprecated, see: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/utils/SafeERC20.sol#L39-L44
The protocol does not support fee on transfer and other weird tokens, e.g.:
or
Make sure that your users are informed about that, or consider validating the balance before/after to know the real amount transferred.
totalWeight might be 0, because updateveAssetWeight does not enforce minimum total weight, thus it is possible that rewardClaimed function will revert in runtime here making the users not being able to get their rewards:
Functions are not protected from re-entrancy. Some of them do not follow the Check-Effects-Interactions pattern, thus can be exploited if the call target contains the transfer hook. For example, here it first transfers the token and only then updates the supply:
There are many more functions that do the external interactions and are not protected. Consider adding ReentrancyGuard to all the main user interacting functions.