Open code423n4 opened 2 years ago
Valid L
L
Disputed as the instances provided are 0 to non-zero meaning they are fine
NC
Disputed as it's a developer function
L
NC
Disagree in lack of evidence of overflow and underflows, lack of safeMath can be a gas optimization (and Sushi is extremely long standing)
I'm unable to verify the statement, the OZ code I checked has the 0 check
R
L
Disputed. The Badger code had an explicit return value which would always return 0 (missing a return), these are functions without a return value
They are in the curly brackets
NC
Disagree with the rest.
4L 1R 3NC
Duplicates in array
Code instances:
Both MasterChefV2.add pushed the parameter _lpToken without checking if it is already exists in the array lpToken. And similarly, pushed _rewarder to rewarder without checking if exists.
Loss Of Precision
This issue is about arithmetic computation that could have been done more percise. The following are places in the codebase in which you multiplied after the divisions. Doing the multiplications at start lead to more accurate calculations. This is a list of places in the code that this appears (Solidity file, line number, actual line):
Code instances:
safeApprove of openZeppelin is deprecated
You use safeApprove of openZeppelin although it's deprecated. (see https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38) You should change it to increase/decrease Allowance as OpenZeppilin says.
Code instances:
Require with empty message
The following requires are with empty messages. This is very important to add a message for any require. So the user has enough information to know the reason of failure.
Code instances:
Require with not comprehensive message
The following requires has a non comprehensive messages. This is very important to add a comprehensive message for any require. Such that the user has enough information to know the reason of failure:
Code instances:
Not verified input
external / public functions parameters should be validated to make sure the address is not 0. Otherwise if not given the right input it can mistakenly lead to loss of user funds.
Code instances:
Solidity compiler versions mismatch
The project is compiled with different versions of solidity, which is not recommended because it can lead to undefined behaviors.
Code instance:
Use safe math for solidity version <8
You should use safe math for solidity version <8 since there is no default over/under flow check it suchversions of solidity.
Code instances:
Not verified owner
Code instance:
Named return issue
Users can mistakenly think that the return value is the named return, but it is actually the actualreturn statement that comes after. To know that the user needs to read the code and is confusing. Furthermore, removing either the actual return or the named return will save gas.
Code instances:
Assert instead require to validate user inputs
Code instances:
In the following public update functions no value is returned
In the following functions no value is returned, due to which by default value of return will be 0. We assumed that after the update you return the latest new value. (similar issue here: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/85).
Code instances:
Never used parameters
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
Open TODOs
Open TODOs can hint at programming or architectural errors that still need to be fixed. These files has open TODOs:
Code instances:
Open TODO in SushiMaker.sol line 243 : // TODO: Add maximum slippage? Open TODO in SushiMaker.sol line 250 : // TODO: Add maximum slippage? Open TODO in SushiMaker.sol line 110 : // TODO: This can be optimized a fair bit, but this is safer and simpler for now
Check transfer receiver is not 0 to avoid burned money
Transferring tokens to the zero address is usually prohibited to accidentally avoid "burning" tokens by sending them to an unrecoverable zero address.
Code instances:
Assert instead require to validate user inputs
Code instances:
In the following public update functions no value is returned
In the following functions no value is returned, due to which by default value of return will be 0. We assumed that after the update you return the latest new value. (similar issue here: https://github.com/code-423n4/2021-10-badgerdao-findings/issues/85).
Code instances:
Never used parameters
Those are functions and parameters pairs that the function doesn't use the parameter. In case those functions are external/public this is even worst since the user is required to put value that never used and can misslead him and waste its time.
Code instances:
Add a timelock
To give more trust to users: functions that set key/critical variables should be put behind a timelock.
Code instances: