search

code-423n4 / 2022-06-canto-v2-findings

0 stars 0 forks source link

QA Report #122

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

QA

[QA-1] Wrong argument for error SenderNotCNote()

https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegate.sol#L51 https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/Accountant/AccountantDelegate.sol#L65

Sender address was expected to be inputed as the argument. But in the current implementation, the note address is inputed as the argument

RECOMMENDED MITIGATION STEP Change address(note) to msg.sender

[QA-2] _accountant address is allowed to do reentrancy

https://github.com/Plex-Engineer/lending-market-v2/blob/ea5840de72eab58bec837bb51986ac73712fcfde/contracts/CNote.sol#L156-L157

Removing the check that msg.sender != _accountant can save gas (by reducing action in code), beside it also can prevent any security issue by including _accountant to the validation step

GalloDaSballo commented 2 years ago

[QA-1] Wrong argument for error SenderNotCNote()

Valid NC

[QA-2] _accountant address is allowed to do reentrancy

Valid Low. Agree that no caller should be allow to reEnter

Neat unique report, 1L 1NC