search

code-423n4 / 2022-06-badger-findings

0 stars 0 forks source link

QA Report #70

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Mult instead div in compares

To improve algorithm precision instead using division in comparison use multiplication in the following scenario:

    Instead a < b / c use a * c < b.

In all of the big and trusted contracts this rule is maintained.

Code instance:

    MyStrategy.sol, 205, require(max >= _amount.mul(9_980).div(MAX_BPS), "Withdrawal Safety Check");

safeApprove of openZeppelin is deprecated

You use safeApprove of openZeppelin although it's deprecated. (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38) You should change it to increase/decrease Allowance as OpenZeppilin says.

Code instances:

    Deprecated safeApprove in MyStrategy.sol line 67: WETH.safeApprove(address(BALANCER_VAULT), type(uint256).max);
    Deprecated safeApprove in MyStrategy.sol line 66: AURABAL.safeApprove(address(BALANCER_VAULT), type(uint256).max);
    Deprecated safeApprove in MyStrategy.sol line 64: AURA.safeApprove(address(LOCKER), type(uint256).max);

Not verified input

external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.

Code instances:

    MyStrategy.sol.initialize _vault
    MyStrategy.sol.manualSetDelegate delegate

Hardcoded WETH

WETH address is hardcoded but it may differ on other chains, e.g. Polygon, so make sure to check this before deploying and update if necessary You should consider injecting WETH address via the constructor. (previous issue: https://github.com/code-423n4/2021-10-ambire-findings/issues/54)

Code instance:

    Hardcoded weth address in MyStrategy.sol

Init frontrun

Most contracts use an init pattern (instead of a constructor) to initialize contract parameters. Unless these are enforced to be atomic with contact deployment via deployment script or factory contracts, they are susceptible to front-running race conditions where an attacker/griefer can front-run (cannot access control because admin roles are not initialized) to initially with their own (malicious) parameters upon detecting (if an event is emitted) which the contract deployer has to redeploy wasting gas and risking other transactions from interacting with the attacker-initialized contract.

Many init functions do not have an explicit event emission which makes monitoring such scenarios harder. All of them have re-init checks; while many are explicit some (those in auction contracts) have implicit reinit checks in initAccessControls() which is better if converted to an explicit check in the main init function itself. (details credit to: https://github.com/code-423n4/2021-09-sushimiso-findings/issues/64) The vulnerable initialization functions in the codebase are:

Code instance:

    MyStrategy.sol, initialize, 56

Missing non reentrancy modifier

The following functions are missing reentrancy modifier although some other pulbic/external functions does use reentrancy modifer. Even though I did not find a way to exploit it, it seems like those functions should have the nonReentrant modifier as the other functions have it as well..

Code instances:

    MyStrategy.sol, reinvest is missing a reentrancy modifier
    MyStrategy.sol, initialize is missing a reentrancy modifier

Assert instead require to validate user inputs

    From solidity docs: Properly functioning code should never reach a failing assert statement; if this happens there is a bug in your contract which you should fix.
    With assert the user pays the gas and with require it doesn't. The ETH network gas isn't cheap and users can see it as a scam.

Code instance:

    MyStrategy.sol : reachable assert in line 56

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    MyStrategy.sol: function performUpkeep parameter performData isn't used. (performUpkeep is external)
    MyStrategy.sol: function checkUpkeep parameter checkData isn't used. (checkUpkeep is external)

Open TODOs

Open TODOs can hint at programming or architectural errors that still need to be fixed. These files has open TODOs:

Code instances:

Open TODO in MyStrategy.sol line 283 : // TODO: Hardcode claim.account = address(this)?

Open TODO in MyStrategy.sol line 421 : // TODO: Too many SLOADs

Check transfer receiver is not 0 to avoid burned money

Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.

Code instances:

    https://github.com/code-423n4/2022-06-badger/tree/main/MyStrategy.sol#L326
    https://github.com/code-423n4/2022-06-badger/tree/main/MyStrategy.sol#L429
    https://github.com/code-423n4/2022-06-badger/tree/main/MyStrategy.sol#L112
    https://github.com/code-423n4/2022-06-badger/tree/main/MyStrategy.sol#L423

Assert instead require to validate user inputs

    From solidity docs: Properly functioning code should never reach a failing assert statement; if this happens there is a bug in your contract which you should fix.
    With assert the user pays the gas and with require it doesn't. The ETH network gas isn't cheap and users can see it as a scam.

Code instance:

    MyStrategy.sol : reachable assert in line 56

Never used parameters

Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.

Code instances:

    MyStrategy.sol: function performUpkeep parameter performData isn't used. (performUpkeep is external)
    MyStrategy.sol: function checkUpkeep parameter checkData isn't used. (checkUpkeep is external)

Add a timelock

To give more trust to users: functions that set key/critical variables should be put behind a timelock.

Code instances:

    https://github.com/code-423n4/2022-06-badger/tree/main/MyStrategy.sol#L92
    https://github.com/code-423n4/2022-06-badger/tree/main/MyStrategy.sol#L98
    https://github.com/code-423n4/2022-06-badger/tree/main/MyStrategy.sol#L86

-------- med ---------

Must approve 0 first

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.

Code instances:

approve without approving 0 first MyStrategy.sol, 64, AURA.safeApprove(address(LOCKER), type(uint256).max);

approve without approving 0 first MyStrategy.sol, 66, AURABAL.safeApprove(address(BALANCER_VAULT), type(uint256).max);

approve without approving 0 first MyStrategy.sol, 67, WETH.safeApprove(address(BALANCER_VAULT), type(uint256).max);

GalloDaSballo commented 2 years ago

Mult instead div in compares

Would like to see the actual code example

safeApprove of openZeppelin is deprecated

We use it only once to set max approval, which is the proper usage afaik

Not verified input

Quantstamp would agree

Hardcoded WETH

This is a mainnet only strategy as AURA is only on mainnet

Init frontrun

Disagree per our scripts, we deploy + initialize in the constructor of the proxy

 Missing non reentrancy modifier

Disagree as target contracts are known

Assert instead require to validate user inputs

I believe this is the one time assert is a good idea as the deployment has to fail

Never used parameters

This is to conform to chainlinks interface

Open TODOs

Agree

Check transfer receiver is not 0 to avoid burned money

Not sure what he means

Add a timelock

Cannot prove this on the contract, maybe the governance is a timelock and there's no way of ever telling

 Must approve 0 first

Disagree as we approve once at initialization time