Open code423n4 opened 2 years ago
QA
SenderNotCNote()
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegate.sol#L51 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegate.sol#L65
Sender address was expected to be inputed as the argument. But in the current implementation, the note address is inputed as the argument
RECOMMENDED MITIGATION STEP Change address(note) to msg.sender
_accountant
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/CNote.sol#L156-L157
Removing the check that msg.sender != _accountant can save gas (by reducing action in code), beside it also can prevent any security issue by including _accountant to the validation step
Valid NC
Valid Low. Agree that no caller should be allow to reEnter
Neat unique report, 1L 1NC
QA
[QA-1] Wrong argument for error
SenderNotCNote()
https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegate.sol#L51 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegate.sol#L65
Sender address was expected to be inputed as the argument. But in the current implementation, the note address is inputed as the argument
RECOMMENDED MITIGATION STEP Change address(note) to msg.sender
[QA-2]
_accountant
address is allowed to do reentrancyhttps://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/CNote.sol#L156-L157
Removing the check that msg.sender !=
_accountant
can save gas (by reducing action in code), beside it also can prevent any security issue by including_accountant
to the validation step